[1830] in bugtraq
Re: Solaris 2.x utmp hole
daemon@ATHENA.MIT.EDU (cjc@summit.novell.com)
Thu May 18 11:29:15 1995
From: cjc@summit.novell.com
To: chasin@crimelab.com, bugtraq@crimelab.com
Date: Thu, 18 May 1995 09:25 EDT
> Subject: Solaris 2.x utmp hole
>
> The following is somewhat of a security hole in Solaris 2.x which
> allows any non-root user to remove themselves from /var/adm/utmp[x]
> files (who, w, finger, etc).
>
> Now the trick here is also to exploit this enough so that you can
> change your ttyname (which can easily be done) and manipulate a
> system utility into writing to that new ttyname (which could be a
> system file). This example only takes you out of the utmp files.
1. On line 95, the call to gettimeofday should be
"gettimeofday (&(ut->ut_tv), 0);" (yes, my compiler complained
about mis-matched prototypes).
2. This bug is not in evidence on UnixWare 2.01.
--
Christopher J. Calabrese
Network Security Architect
Novell Information Services & Technology, Summit, NJ
cjc@summit.novell.com
