mailing list archives
Re: Solaris 2.x utmp hole
From: cjc () summit novell com (cjc () summit novell com)
Date: Thu, 18 May 1995 09:25 EDT
Subject: Solaris 2.x utmp hole
The following is somewhat of a security hole in Solaris 2.x which
allows any non-root user to remove themselves from /var/adm/utmp[x]
files (who, w, finger, etc).
Now the trick here is also to exploit this enough so that you can
change your ttyname (which can easily be done) and manipulate a
system utility into writing to that new ttyname (which could be a
system file). This example only takes you out of the utmp files.
1. On line 95, the call to gettimeofday should be
"gettimeofday (&(ut->ut_tv), 0);" (yes, my compiler complained
about mis-matched prototypes).
2. This bug is not in evidence on UnixWare 2.01.
Christopher J. Calabrese
Network Security Architect
Novell Information Services & Technology, Summit, NJ
cjc () summit novell com