[Pkg-shadow-devel] Bug#505071: Bug#505071: Bug#505071: login tty mis-determination (see bug#332198)

Paul Szabo psz at maths.usyd.edu.au
Mon Nov 10 00:04:12 UTC 2008

Dear Nekral,

>> Seems to me that as things stand, writing a suitable utmp entry, would
>> trick login into chowning an arbitrary file. Should I attempt to write
>> an exploit/demo?
> That would be nice to check if it would be possible to chown /etc/shadow
> by cheating utmp.
> A fake demo would be nice.
> (by "fake demo", I mean that you do not have to find a way to guess the
> PID, but can recompile a new login which use an hardcoded utmp entry in
> checkutmp; that would be sufficient since we already know the utmp entry
> selection is wrong and can be cheated)
> I hope is_my_tty protects it, but I did not checked at all the complete
> path.

I expect the following would work:
Predict what PID and tty will be used by login. (This is rather simple:
surely the next available ones, maybe current tty.) For sake of example,
say these are PID=123 and tty=/dev/pts/1.
Pre-create a symlink  /tmp/x -> /dev/pts/1  and write an utmp entry
with PID=123, line=/tmp/x, type=LOGIN_PROCESS.
Run login. While login is running, change /tmp/x to point to /etc/shadow.
We win the race if the change is done after stat(tty,...) within
is_my_tty and before chown(tty,...) in chown_tty.

Hope this is sufficient...

Cheers, Paul

Paul Szabo   psz at maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

More information about the Pkg-shadow-devel mailing list