[Pkg-shadow-devel] Bug#505071: Bug#505071: Bug#505071: login tty mis-determination (see bug#332198)
Paul Szabo
psz at maths.usyd.edu.au
Mon Nov 10 00:04:12 UTC 2008
Dear Nekral,
>> Seems to me that as things stand, writing a suitable utmp entry, would
>> trick login into chowning an arbitrary file. Should I attempt to write
>> an exploit/demo?
>
> That would be nice to check if it would be possible to chown /etc/shadow
> by cheating utmp.
>
> A fake demo would be nice.
> (by "fake demo", I mean that you do not have to find a way to guess the
> PID, but can recompile a new login which use an hardcoded utmp entry in
> checkutmp; that would be sufficient since we already know the utmp entry
> selection is wrong and can be cheated)
>
> I hope is_my_tty protects it, but I did not checked at all the complete
> path.
I expect the following would work:
Predict what PID and tty will be used by login. (This is rather simple:
surely the next available ones, maybe current tty.) For sake of example,
say these are PID=123 and tty=/dev/pts/1.
Pre-create a symlink /tmp/x -> /dev/pts/1 and write an utmp entry
with PID=123, line=/tmp/x, type=LOGIN_PROCESS.
Run login. While login is running, change /tmp/x to point to /etc/shadow.
We win the race if the change is done after stat(tty,...) within
is_my_tty and before chown(tty,...) in chown_tty.
Hope this is sufficient...
Cheers, Paul
Paul Szabo psz at maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
More information about the Pkg-shadow-devel
mailing list