Dear Nekral, >> Seems to me that as things stand, writing a suitable utmp entry, would >> trick login into chowning an arbitrary file. Should I attempt to write >> an exploit/demo? > > That would be nice to check if it would be possible to chown /etc/shadow > by cheating utmp. > > A fake demo would be nice. > (by "fake demo", I mean that you do not have to find a way to guess the > PID, but can recompile a new login which use an hardcoded utmp entry in > checkutmp; that would be sufficient since we already know the utmp entry > selection is wrong and can be cheated) > > I hope is_my_tty protects it, but I did not checked at all the complete > path.
I expect the following would work: Predict what PID and tty will be used by login. (This is rather simple: surely the next available ones, maybe current tty.) For sake of example, say these are PID=123 and tty=/dev/pts/1. Pre-create a symlink /tmp/x -> /dev/pts/1 and write an utmp entry with PID=123, line=/tmp/x, type=LOGIN_PROCESS. Run login. While login is running, change /tmp/x to point to /etc/shadow. We win the race if the change is done after stat(tty,...) within is_my_tty and before chown(tty,...) in chown_tty. Hope this is sufficient... Cheers, Paul Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
