Bugtraq mailing list archives
Re: Solaris 2.x utmp hole
From: matt () uts EDU AU (Jas)
Date: Thu, 18 May 1995 16:40:12 +1000 (EST)
Scott Chasin wrote this...
The following is somewhat of a security hole in Solaris 2.x which allows any non-root user to remove themselves from /var/adm/utmp[x] files (who, w, finger, etc).
Now the trick here is also to exploit this enough so that you can change your ttyname (which can easily be done) and manipulate a system utility into writing to that new ttyname (which could be a system file). This example only takes you out of the utmp files.
solaris utmp has had heaps of bugs, why dont sun just fix it up properly once and for all?? i think i'll put in a RFE for this, just to make it official, even if the &^%*& (favorite expletive here), wont do it. Matt -- #!/bin/sh echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D3F204445524F42snlbxq'|dc;exit Matthew Keenan Systems Programmer Information Technology Division University of Technology Sydney Australia It's nice to be in a position where people apologize because they assume there's humor in your work, based on past experience, but they're not sure where it is. -- Rob Pike
Current thread:
- Solaris 2.x utmp hole Scott Chasin (May 17)
- Re: Solaris 2.x utmp hole Jas (May 17)
- Re: Solaris 2.x utmp hole Scott Barman (May 18)
- <Possible follow-ups>
- Re: Solaris 2.x utmp hole cjc () summit novell com (May 18)
- Re: Solaris 2.x utmp hole Claudio Telmon (May 18)
- Re: Solaris 2.x utmp hole Claudio Telmon (May 19)
- Re: Solaris 2.x utmp hole System Admin (May 18)
- Another translation Patrick Horgan (May 18)
- Re: Solaris 2.x utmp hole gio () DI UniPi IT (May 19)
- From the moderator: READ Please Scott Chasin (May 19)
- Re: From the moderator: READ Please Claudio Telmon (May 22)
- Re: From the moderator: READ Please Greg Woods (May 22)