mailing list archives
Sun CDE 1.0.1: login bug
From: isaac () CALVIN CS QC EDU (Isaac)
Date: Mon, 28 Jul 1997 16:26:40 -0400
I apologize if my discovery is old news, yet I thought it important
to share and find out if this is being worked on by Sun.
The problem is that CDE (Common Desktop Environment) seems to
accept logins with usernames which have spaces prepended to them.
I am not sure if this is the case with other window managers since
I did not test this with other then CDE.
The following is the 'uname -a' output:
SunOS [hostname] 5.5 Generic sun4m sparc SUNW,SPARCstation-20
(Same bug was the case on Ultra-1, too, so I don't think that
this is an architecture-dependent bug)
Using CDE (Common Desktop Environment), if you enter a few spaces
before your username when logging on from the console, the system will log
you in normally with no warnings of any kind. I observed the following
traces of suspicious behavior:
The home directory suddenly lists a directory created shortly after login,
which is composed of the following structure:
(I guess the 0 can be incremented to any integer if other similar login
I ran a few programs which utilize wtmp/utmp files shortly after login,
while being the only user on the host (though I observed same behavior
when other users are logged on, too); below are the outputs:
(Note: the username with which I found this behaviour is 'cshelp')
Output of 'last -1':
c console :0 Mon Jul 28 15:33 still logged in
Output of 'users':
Output of 'who':
c console Jul 28 15:33 (:0)
cshelp pts/2 Jul 28 15:34 (:0.0)
cshelp pts/3 Jul 28 15:34 (:0.0)
Output of 'w':
3:34pm up 1 day(s), 16:49, 1 user, load average: 0.38, 0.21, 0.10
User tty login@ idle JCPU PCPU what
c console 3:33pm34days 2 /bin/csh -c unsetenv _ PWD;
cshelp pts/2 3:34pm 1 w
cshelp pts/3 3:34pm 1 tcsh
Output of 'finger' (normal):
Login Name TTY Idle When Where
cshelp student Aid console Mon 15:33 :0
Programs such as 'id' and 'whoami' behaved normally.
Also: launching Mailer 1.0.1 causes a creation of a file
which is the username + spaces prepended to it, in /var/mail !
-rw------- 1 cshelp staff 0 Jul 28 16:08 cshelp
It may be relative to mention that this file can be deleted
problemlessly from there:
rm \ \ \ \ \ \ \ cshelp
rm: remove cshelp (y/n)? y
I do not know if I may call this a bug. Perhaps it is my lack of
knowledge of SunOS/CDE that drives me in the direction of calling
the unknown/unexpected behavior a bug. However, I believe that the
observed behaviour is due to the programs which write to wtmp/utmp files.
More importantly, I would very much like to hear from others on this issue.
[linux-security] so-called snprintf() in db-1.85.4 (fwd) Aleph One (Jul 09)
MPE/iX Sec. Vulnerability with ICMP Echo Request (ping) Aleph One (Jul 09)