[21598] in bugtraq
Re: 2.4.x/Slackware Init script vulnerability
daemon@ATHENA.MIT.EDU (twiz - Perla Enrico)
Wed Jul 18 11:48:25 2001
Date: Wed, 18 Jul 2001 00:42:42 +0200 (CEST)
From: twiz - Perla Enrico <twi@boiate.it>
To: bugtraq@securityfocus.com
In-Reply-To: <Pine.LNX.4.33.0107160942220.11998-100000@shell.pulltheplug.com>
Message-ID: <Pine.LNX.4.20.0107180041490.251-100000@twisterz.twz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
I' ve tested it on Slackware 7.0 with kernel 2.4.5 :
twisterz:~# uname -r
2.4.5
twisterz:~#
I' ve noticed that , while /var/run/utmp *is* world writable :
twisterz:~# ls -l /var/run/utmp
-rw-rw-rw- 1 root root 4608 Jul 17 02:27 /var/run/utmp
twisterz:~#
and also /var/run/gpm.pid is -rw-rw-rw-, *but* modules.dep isn' t writable
twisterz:~# ls -l /lib/modules/`uname -r`/modules.dep
-rw-r--r-- 1 root root 2688 Jul 16 19:36
/lib/modules/2.4.5/modules.dep
twisterz:~#
So it can't be edited, and the exploit can' t work 'cause you can't
add/change lines to modules.dep.
I'm going to download Slackware 8.0 and test on it, btw on slak 7.0 keep
good the possibility of, as you said :
>
> And of course with /var/run/utmp writeable, users can delete or
in
> other ways manipulate their logins as they appear in
> w/who/finger/getlogin(), etc.
>
twiz - twiz@superdotati.net or twi@boiate.it - ./twlc
