Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 16 Sep 1995 19:35:09 +0100 (BST)
From:      Mr D Whitehead (Ext 2703) <davew@sees.bangor.ac.uk>
To:        security@freebsd.org
Subject:   Re: forwarded message from Grant Haidinyak
Message-ID:  <24764.9509161835@hermes.sees.bangor.ac.uk>

next in thread | raw e-mail | index | archive | help

> Quoting from Nate Williams (Fri Sep 15 22:18:06 1995):
> > [ Quick background.  Grant has been experiencing a bug whereby folks are
> > re-connected to login which were abruptly dis-connected from a machine.
> > This is a *HUGE* security hole if it is indeed true. ]
> ...
> 
> Yes it is. It was so in 2.0.0-SNAP950322, and was reported at
> least 4 months ago. It can be repeated by (on 2.0.0-SNAP):
> - login
> - startx
> - run 'su' and an xterm from there
> - write down the pty #
> - hit ctrl-alt-delete
> - from another machine, telnet into yours until your pty is = the
>   one you wrote down
> - play with the root shell. Even comands go the the root shell,
>   odd ones to yours I think.

	This bug (or at least one very much like it) has been around
since at least BSD4.3 .  We first saw it here on a VAX750 running 
BSD4.3, and still see it (occasionally) on our Suns (4.1.x).
	The common factor in most cases we have looked at seems to be
the way in which the pty connection is (broken) terminated.  Typically
the connection was to a PC running PC TCP-IP, eXceedp or similar
software, and the session was abrutly terminated by either the PC
being switched off or the PC getting itself into a mess and hanging
up.
	One case however was different, the user was using a PC with
software similar to PC TCP-IP.  He would logout correctly but would
get a message indicating that the /etc/utmp file could not be written
to.  Changing the protection of /etc/utmp from 644 to 666 would get
rid of the message and the shell.  We banned to software but did not
get to the bottom of the problem.

-- 
		Dave Whitehead (Computer Support Staff)
-------------------------------------------------------------------------------
EMAIL:-					|	TELEPHONE (work):-
(work) davew@sees.bangor.ac.uk 		|	+44 1248 382703 (Direct line)
(home) 100023.1076@compuserve.com	|	+44 1248 351151 ext 2703
-------------------------------------------------------------------------------
SNAIL MAIL:-
Dave Whitehead
School of Electronic Engineering & Computer Systems,
University College of North Wales,
Dean Street,
Bangor  LL57 1UT
------------------------------------------------------------------------------




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?24764.9509161835>