From owner-freebsd-security@FreeBSD.ORG  Sun Oct 24 17:16:05 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C184616A4CE
	for <freebsd-security@freebsd.org>;
	Sun, 24 Oct 2004 17:16:05 +0000 (GMT)
Received: from brainbox.winbot.co.uk
	(cpc2-mapp3-6-0-cust221.nott.cable.ntl.com [81.101.250.221])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3DC8B43D3F
	for <freebsd-security@freebsd.org>;
	Sun, 24 Oct 2004 17:16:05 +0000 (GMT)
	(envelope-from brain@winbot.co.uk)
Received: from synapse.brainbox.winbot.co.uk ([10.0.0.2] helo=[192.168.1.11])
	by brainbox.winbot.co.uk with esmtp (Exim 4.24; FreeBSD)
	id 1CLmzC-0005RO-FC
	for freebsd-security@freebsd.org; Sun, 24 Oct 2004 19:20:58 +0100
Message-ID: <417BE32F.9020204@winbot.co.uk>
Date: Sun, 24 Oct 2004 18:15:27 +0100
From: Craig Edwards <brain@winbot.co.uk>
Organization: Crypt Software
User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
References: <1323.213.112.198.199.1098388008.squirrel@mail.hackunite.net>
	<008401c4b868$ffd64ac0$3501a8c0@pro.sk>
	<00ab01c4b870$a3024760$3501a8c0@pro.sk>
	<52757.10.0.0.10.1098560266.squirrel@10.0.0.10>
	<1357.213.112.198.199.1098562966.squirrel@mail.hackunite.net>
In-Reply-To: <1357.213.112.198.199.1098562966.squirrel@mail.hackunite.net>
X-Enigmail-Version: 0.86.1.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: broken lastlog?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: brain@winbot.co.uk
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Oct 2004 17:16:05 -0000

Hi.

on freebsd 5.2.1 i managed to break my lastlog by repeatedly issuing 
'date' commands. Im not sure how this happened but by issuing a command 
to set the date in an infinite while loop (i was attempting to break the 
restriction of setting the time to +/- 1 second in securelevel 2), you 
can end up with a lastlog like the following:

[root@machine:username]$ last
username         ttyp2    4.1.2.3   Sun Oct 24 16:06   still logged in
date             {                  Fri Dec 13 20:45
date             |                  Sun Oct 24 15:00
username2        ttyp2    1.2.3.4   Sun Oct 24 01:01 - 02:33  (01:31)

etc etc...
this output is sanitized so not to contain real data. The real test was 
done as root, so far i've not been able to pin this down. Has anyone 
seen this before and is it fixed in later versions?

Thanks,
Craig Edwards