Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: /usr/lib/utmp_update musings
From: paul () argo demon co uk (Paul Ashton)
Date: Thu, 25 May 95 22:52 BST


An analysis of in.comsatd on Solaris 2.4

From truss this looks like the rough idea behind comsatd:-

input -> usertonotify () offset

chdir(/var/mail)
open & read /var/adm/utmp
for each entry (not necessarily active)
1 stat(/dev/entry.ut_line)
  if(statbuf.st_mode & S_IXUSR)
    if fork && child
2     if getpwuid(statbuf.st_uid)->pw_name == usertonotify
        setuid(targetuid) done all over the place
        ...but not a problem if target is root
        fd = open /dev/entry.ut_line, O_RDWR
3       istty = isatty(fd))
3       close(fd)
3       if istty
3         ttyfd = open /dev/entry.ut_line, O_WRONLY|O_CREAT|O_TRUNC, 0666
          write(fd, "New mail ...")
          stat(usertonotify)
          mailfd = open(usertonotify, O_RDONLY)
          lseek(mailfd, offset)
4         fstat(mailfd)
          ioctl(mailfd, TCGETA)
          bytesread = read(mailfd, buf, sizeof buf)
5         write(ttyfd, buf, bytesread)
          write(ttyfd, "- - - -")
6         utime(usertonotify, restoreaccesstime)
          exit
      

Notes.
1. no check for "../" and must of course be a symlink anyway
2. inefficient doing this for every device
3. Check to see if is a device rather than a file
3. Race
3. File opened with O_CREAT, why??
4. I suspect this is stdio rather than code checking to see
   if /var/mail/root isn't a symlink to /etc/shadow
5. No stripping of control codes therefore any amount of dangerous
   escape sequences can be sent
6. Another race if you wish to arbitrarily utime any particular file

To gain root access root must be logged in somewhere with biff y.
He must be no where near his terminal!
Use /usr/lib/utmp_update to create a slot as root with device ../tmp/f

I have a program that does this, including execing the /usr/lib/utmp_update
and it works, but I leave it as an exercise for the reader.

IMHO making this secure on a system with symlinks, world writeable
/var/mail and arbitrarily updateable /var/adm/utmp is doomed to disaster.
If you disallow comsat to root, check if any filenames contain "..", check
if /var/mail/foo is not a symlink or file with more than one hard link,
check that the info you write to the tty only contains printable characters
you're getting closer...

Cheers,
Paul



  By Date           By Thread  

Current thread:
  • Re: /usr/lib/utmp_update musings Paul Ashton (May 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]