[1834] in bugtraq
Re: Solaris 2.x utmp hole
daemon@ATHENA.MIT.EDU (Scott Barman)
Thu May 18 14:18:01 1995
Date: Thu, 18 May 1995 12:19:23 -0400 (EDT)
From: Scott Barman <scott@Disclosure.COM>
To: Scott Chasin <chasin@crimelab.com>
Cc: bugtraq@crimelab.com
In-Reply-To: <199505172307.RAA18171@crimelab.com>
On Wed, 17 May 1995, Scott Chasin wrote:
>
> The following is somewhat of a security hole in Solaris 2.x which
> allows any non-root user to remove themselves from /var/adm/utmp[x]
> files (who, w, finger, etc).
This is interesting. Don't tell me, this is not a bug but a feature!
Why would Sun allow anyone to modify the utmp file?
> Now the trick here is also to exploit this enough so that you can
> change your ttyname (which can easily be done) and manipulate a
> system utility into writing to that new ttyname (which could be a
> system file). This example only takes you out of the utmp files.
I tried this under Solaris 2.4 on an Intel box. It worked. It removed
me from the utmp file. I was curious, who I did a "who -a /var/adm/wtmp"
to see what happened. I found a "logout" entry was entered. I did this
a few times to verify it.
So you can't spoof this completly. You should be able to tell that
someone was doing something.
What's to prevent a lot of things? The way I see this, you can make
yourself look like a "real" user! Then how can one trace logins.
Anyone think a CERT advisory should be issued for this??
scott barman
scott@disclosure.com
