[1910] in bugtraq
Re: /usr/lib/utmp_update musings
daemon@ATHENA.MIT.EDU (Paul Ashton)
Thu May 25 20:21:37 1995
Date: Thu, 25 May 95 22:52 BST
From: paul@argo.demon.co.uk (Paul Ashton)
To: bugtraq@fc.net, paul@argo.demon.co.uk
An analysis of in.comsatd on Solaris 2.4
From truss this looks like the rough idea behind comsatd:-
input -> usertonotify@offset
chdir(/var/mail)
open & read /var/adm/utmp
for each entry (not necessarily active)
1 stat(/dev/entry.ut_line)
if(statbuf.st_mode & S_IXUSR)
if fork && child
2 if getpwuid(statbuf.st_uid)->pw_name == usertonotify
setuid(targetuid) done all over the place
...but not a problem if target is root
fd = open /dev/entry.ut_line, O_RDWR
3 istty = isatty(fd))
3 close(fd)
3 if istty
3 ttyfd = open /dev/entry.ut_line, O_WRONLY|O_CREAT|O_TRUNC, 0666
write(fd, "New mail ...")
stat(usertonotify)
mailfd = open(usertonotify, O_RDONLY)
lseek(mailfd, offset)
4 fstat(mailfd)
ioctl(mailfd, TCGETA)
bytesread = read(mailfd, buf, sizeof buf)
5 write(ttyfd, buf, bytesread)
write(ttyfd, "- - - -")
6 utime(usertonotify, restoreaccesstime)
exit
Notes.
1. no check for "../" and must of course be a symlink anyway
2. inefficient doing this for every device
3. Check to see if is a device rather than a file
3. Race
3. File opened with O_CREAT, why??
4. I suspect this is stdio rather than code checking to see
if /var/mail/root isn't a symlink to /etc/shadow
5. No stripping of control codes therefore any amount of dangerous
escape sequences can be sent
6. Another race if you wish to arbitrarily utime any particular file
To gain root access root must be logged in somewhere with biff y.
He must be no where near his terminal!
Use /usr/lib/utmp_update to create a slot as root with device ../tmp/f
I have a program that does this, including execing the /usr/lib/utmp_update
and it works, but I leave it as an exercise for the reader.
IMHO making this secure on a system with symlinks, world writeable
/var/mail and arbitrarily updateable /var/adm/utmp is doomed to disaster.
If you disallow comsat to root, check if any filenames contain "..", check
if /var/mail/foo is not a symlink or file with more than one hard link,
check that the info you write to the tty only contains printable characters
you're getting closer...
Cheers,
Paul
