Bugtraq mailing list archives
Sun CDE 1.0.1: login bug
From: isaac () CALVIN CS QC EDU (Isaac)
Date: Mon, 28 Jul 1997 16:26:40 -0400
Hello, I apologize if my discovery is old news, yet I thought it important to share and find out if this is being worked on by Sun. The problem is that CDE (Common Desktop Environment) seems to accept logins with usernames which have spaces prepended to them. I am not sure if this is the case with other window managers since I did not test this with other then CDE. Details: ------- The following is the 'uname -a' output: SunOS [hostname] 5.5 Generic sun4m sparc SUNW,SPARCstation-20 (Same bug was the case on Ultra-1, too, so I don't think that this is an architecture-dependent bug) Using CDE (Common Desktop Environment), if you enter a few spaces before your username when logging on from the console, the system will log you in normally with no warnings of any kind. I observed the following traces of suspicious behavior: The home directory suddenly lists a directory created shortly after login, which is composed of the following structure: username-hostname-0/ (I guess the 0 can be incremented to any integer if other similar login instances follow) I ran a few programs which utilize wtmp/utmp files shortly after login, while being the only user on the host (though I observed same behavior when other users are logged on, too); below are the outputs: (Note: the username with which I found this behaviour is 'cshelp') Output of 'last -1': c console :0 Mon Jul 28 15:33 still logged in Output of 'users': c Output of 'who': c console Jul 28 15:33 (:0) cshelp pts/2 Jul 28 15:34 (:0.0) cshelp pts/3 Jul 28 15:34 (:0.0) Output of 'w': 3:34pm up 1 day(s), 16:49, 1 user, load average: 0.38, 0.21, 0.10 User tty login@ idle JCPU PCPU what c console 3:33pm34days 2 /bin/csh -c unsetenv _ PWD; cshelp pts/2 3:34pm 1 w cshelp pts/3 3:34pm 1 tcsh Output of 'finger' (normal): Login Name TTY Idle When Where cshelp student Aid console Mon 15:33 :0 Programs such as 'id' and 'whoami' behaved normally. Also: launching Mailer 1.0.1 causes a creation of a file which is the username + spaces prepended to it, in /var/mail ! -rw------- 1 cshelp staff 0 Jul 28 16:08 cshelp It may be relative to mention that this file can be deleted problemlessly from there: rm \ \ \ \ \ \ \ cshelp rm: remove cshelp (y/n)? y I do not know if I may call this a bug. Perhaps it is my lack of knowledge of SunOS/CDE that drives me in the direction of calling the unknown/unexpected behavior a bug. However, I believe that the observed behaviour is due to the programs which write to wtmp/utmp files. More importantly, I would very much like to hear from others on this issue. Curious, Isaac
Current thread:
- More information about JavaScript bug, (continued)
- More information about JavaScript bug Dominick Matthias PN OIL 6 (Jul 11)
- new post SP3 hotfix: lm-fix Alex Libenson (Jul 12)
- Minor PGP vulnerability Harald Weidner (Jul 15)
- GetAdmin - Hotfix silent release ? Olivier Gerschel (Jul 16)
- Re: Minor PGP vulnerability Lucky Green (Jul 16)
- CERT Advisory CA-97.21 - SGI Buffer Overflow Vulnerabilities Aleph One (Jul 17)
- slight misinformation in CA-97.21 Dave Kormann (Jul 17)
- msg00234.html brush () SEARCH POL PL (Jul 17)
- CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary Aleph One (Jul 16)
- Sun Security Bulletin #00146 Aleph One (Jul 16)
- Sun CDE 1.0.1: login bug Isaac (Jul 28)
- Re: Sun CDE 1.0.1: login bug Doug Hughes (Jul 29)
- CERT Vendor-Initiated Bulletin VB-97.06 - Vul in Lynx Downloading Aleph One (Jul 16)
- Re: [linux-security] so-called snprintf() in db-1.85.4 (fwd) Joe Zbiciak (Jul 10)
- A New Fragmentation Attack Aleph One (Jul 10)