mailing list archives
Re: Solaris 2.x utmp hole
From: scott () Disclosure COM (Scott Barman)
Date: Thu, 18 May 1995 12:19:23 -0400 (EDT)
On Wed, 17 May 1995, Scott Chasin wrote:
The following is somewhat of a security hole in Solaris 2.x which
allows any non-root user to remove themselves from /var/adm/utmp[x]
files (who, w, finger, etc).
This is interesting. Don't tell me, this is not a bug but a feature!
Why would Sun allow anyone to modify the utmp file?
Now the trick here is also to exploit this enough so that you can
change your ttyname (which can easily be done) and manipulate a
system utility into writing to that new ttyname (which could be a
system file). This example only takes you out of the utmp files.
I tried this under Solaris 2.4 on an Intel box. It worked. It removed
me from the utmp file. I was curious, who I did a "who -a /var/adm/wtmp"
to see what happened. I found a "logout" entry was entered. I did this
a few times to verify it.
So you can't spoof this completly. You should be able to tell that
someone was doing something.
What's to prevent a lot of things? The way I see this, you can make
yourself look like a "real" user! Then how can one trace logins.
Anyone think a CERT advisory should be issued for this??
scott () disclosure com