[1851] in bugtraq
Re: Solaris 2.x utmp hole
daemon@ATHENA.MIT.EDU (Casper Dik)
Fri May 19 19:48:06 1995
To: Scott Barman <scott@Disclosure.COM>
Cc: Scott Chasin <chasin@crimelab.com>, bugtraq@crimelab.com
In-Reply-To: Your message of "Thu, 18 May 1995 12:19:23 EDT."
<Pine.SUN.3.90.950518121059.19981A-100000@di.disclosure.com>
Date: Fri, 19 May 1995 09:11:36 +0200
From: Casper Dik <casper@Holland.Sun.COM>
>On Wed, 17 May 1995, Scott Chasin wrote:
>>
>> The following is somewhat of a security hole in Solaris 2.x which
>> allows any non-root user to remove themselves from /var/adm/utmp[x]
>> files (who, w, finger, etc).
>
>This is interesting. Don't tell me, this is not a bug but a feature!
>Why would Sun allow anyone to modify the utmp file?
In Solaris 2.5 this is fixed. utmp entries added with the set-uid
program "utmp_update" get marked. Those entries can be removed
and even changed to some extent.
Entries entered by programs running as root (login thru telnetd and
rlogind, ftpd etc) can no longer be removed in 2.5.
Entries added by users themselvs can still be removed in 2.5:
that standard to reason as users can simply remove/disable
the code that adds it (e.g., xterm can be started w/o adding
utmp entries)
>What's to prevent a lot of things? The way I see this, you can make
>yourself look like a "real" user! Then how can one trace logins.
utmp_update allows only a limited set of operations on utmp*.
You should *not* be able to add ttys you dont' have write access to,
names other than yourself.
If you feel that some of the limitations aren't strict enough, report
them and we'll see what we can do about it.
Note that in Solaris 2.4 adding bogus entries to /etc/utmp{,x} shouldn't
give rise to security problems, all relevant programs (syslogd, ufsdump,
talk, write etc) should be safe. If you find one that isn't, again
report it.
>Anyone think a CERT advisory should be issued for this??
Way overboard. There are many way to log in to a system w/o showing
up in utmp.
Casper
