Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1994_1

Bugtraq archives for 1st quarter (Jan-Mar) 1994: Re: utmp

Re: utmp

H Morrow Long (long-morrowcs.yale.edu)
Tue, 22 Mar 1994 10:16:01 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: [8LGM] Security Team: "[8lgm]-Advisory-5.UNIX.mail.24-Jan-1992"
Previous message: Evil Pete: "Re: anyone know details?"
In reply to: Aleph One: "utmp"
Next in thread: Jeff Beadles: "(none)"

>From: Aleph One <hbcsc009huey.csun.edu>
>
>Hmm, anyone can explain a bit more the recent CERT advisory on /etc/utmp.
>I assume the attakers where able to obtain root by fooling programms that
>only use the information in /etc/utmp for authentication, instead of
>calling for the users user id  and real user id. anyone mind extending
>this description...

For one thing older versions of the SunOS 4.1* comsat program could be
fooled into writing to system files by editing /etc/utmp and changing
your (or anyone's) tty to point to a file or symbolic link pointing to
a file you wish to write to and then sending E-Mail to that userid with
the text you wish written to that file.

I believe the exploitation of that hole goes like this :	

o	create a symlink called /tmp/f pointing at /etc/passwd
o	edit /etc/utmp and change one of your current login sessions
	on a tty to point to 'tty' /tmp/f instead (you may need to make
	it point to ../tmp/f since the tty names are assumed to have
	/dev/ prepended to them).
o	send yourself local e-mail on that machine with this text in it:

	toor::0:1:tooR:/:

o	the rest is obvious.

						- Morrow

Next message: [8LGM] Security Team: "[8lgm]-Advisory-5.UNIX.mail.24-Jan-1992"
Previous message: Evil Pete: "Re: anyone know details?"
In reply to: Aleph One: "utmp"
Next in thread: Jeff Beadles: "(none)"