Date: Sat, 4 Mar 2006 12:42:50 +0100 (CET) From: Gabor Kovesdan <gabor.kovesdan@t-hosting.hu> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Gabor Kovesdan <gabor.kovesdan@t-hosting.hu> Subject: bin/94060: Users can hide themselves with a trick Message-ID: <20060304114250.609DB997488@server.t-hosting.hu> Resent-Message-ID: <200603041150.k24Bo5q6014647@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 94060
>Category: bin
>Synopsis: Users can hide themselves with a trick
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Mar 04 11:50:05 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Gabor Kovesdan
>Release: FreeBSD 5.3-RELEASE-p17 amd64
>Organization:
n/a
>Environment:
>Description:
Here, you can see that I logged in via ssh:
Last login: Sat Mar 4 12:28:28 2006
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.3-RELEASE-p17 (FREEBSD) #0: Mon Jul 4 20:23:15 CEST 2005
[motd snipped]
tux@server$ w
12:28PM up 82 days, 21:53, 2 users, load averages: 0.16, 0.07, 0.02
USER TTY FROM LOGIN@ IDLE WHAT
[snip]
tux p1 catv-5062e7e3.ca 12:28PM - w
As I type w, I can see myself logged in. The system recognizes my host, too.
Now, here comes the trick. I run login with any parameter, even a non-existent
user. I specify a wrong password and then I log in with my account I used by
ssh login. In this case this login name is tux. I don't have to specify my
password in this case, of course, because I started login with uid tux.
tux@server$ login some_fake_user
Password:
Login incorrect
login: tux
Last login: Sat Mar 4 12:28:54 from catv-5062e7e3.c
Copyright (c) 1992-2004 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.3-RELEASE-p17 (FREEBSD) #0: Mon Jul 4 20:23:15 CEST 2005
[motd snipped]
tux@server$ w
12:29PM up 82 days, 21:53, 2 users, load averages: 0.11, 0.06, 0.02
USER TTY FROM LOGIN@ IDLE WHAT
[snip]
tux p1 - 12:29PM - w
My host has gone away...
Now, I type exit, to quit from this new session, but my first session
will remain:
tux@server$ exit
logout
tux@server$ w
12:29PM up 82 days, 21:53, 1 user, load averages: 0.10, 0.06, 0.02
USER TTY FROM LOGIN@ IDLE WHAT
yare p0 183-61-31.ip.ads 12:03PM 25 -
tux@server$ whoami
tux
tux@server$ who am i
tux ttyp1 Mar 4 12:29
tux@server$
Now, I disappeard, and I can do anything. Other users won't see that I
even logged in. I don't know whether it's a bug or it's the normal
behavior, but I think it should be changed. I don't think it is critical
but it might be used for some kind of abusing.
I haven't tried it locally, just with ssh, but I suppose it will work locally, too.
>How-To-Repeat:
Follow the steps above.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060304114250.609DB997488>