Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Solaris 2.x utmp hole
From: cjc () summit novell com (cjc () summit novell com)
Date: Thu, 18 May 1995 09:25 EDT

Subject: Solaris 2.x utmp hole

The following is somewhat of a security hole in Solaris 2.x which
allows any non-root user to remove themselves from /var/adm/utmp[x]
files (who, w, finger, etc).

Now the trick here is also to exploit this enough so that you can
change your ttyname (which can easily be done) and manipulate a
system utility into writing to that new ttyname (which could be a
system file).  This example only takes you out of the utmp files.

1.  On line 95, the call to gettimeofday should be
    "gettimeofday (&(ut->ut_tv), 0);" (yes, my compiler complained
    about mis-matched prototypes).

2.  This bug is not in evidence on UnixWare 2.01.

Christopher J. Calabrese
Network Security Architect
Novell Information Services & Technology, Summit, NJ
cjc () summit novell com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]