From owner-freebsd-security Sat Sep 16 11:37:15 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id LAA24222 for security-outgoing; Sat, 16 Sep 1995 11:37:15 -0700 Received: from hermes.sees.bangor.ac.uk (hermes.sees.bangor.ac.uk [147.143.102.8]) by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id LAA24202 for ; Sat, 16 Sep 1995 11:37:12 -0700 From: Mr D Whitehead (Ext 2703) Message-Id: <24764.9509161835@hermes.sees.bangor.ac.uk> Received: from adam.sees (adam.sees.bangor.ac.uk) by hermes.sees.bangor.ac.uk; Sat, 16 Sep 95 19:35:10 BST Subject: Re: forwarded message from Grant Haidinyak To: security@freebsd.org Date: Sat, 16 Sep 1995 19:35:09 +0100 (BST) X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 2190 Sender: owner-security@freebsd.org Precedence: bulk > Quoting from Nate Williams (Fri Sep 15 22:18:06 1995): > > [ Quick background. Grant has been experiencing a bug whereby folks are > > re-connected to login which were abruptly dis-connected from a machine. > > This is a *HUGE* security hole if it is indeed true. ] > ... > > Yes it is. It was so in 2.0.0-SNAP950322, and was reported at > least 4 months ago. It can be repeated by (on 2.0.0-SNAP): > - login > - startx > - run 'su' and an xterm from there > - write down the pty # > - hit ctrl-alt-delete > - from another machine, telnet into yours until your pty is = the > one you wrote down > - play with the root shell. Even comands go the the root shell, > odd ones to yours I think. This bug (or at least one very much like it) has been around since at least BSD4.3 . We first saw it here on a VAX750 running BSD4.3, and still see it (occasionally) on our Suns (4.1.x). The common factor in most cases we have looked at seems to be the way in which the pty connection is (broken) terminated. Typically the connection was to a PC running PC TCP-IP, eXceedp or similar software, and the session was abrutly terminated by either the PC being switched off or the PC getting itself into a mess and hanging up. One case however was different, the user was using a PC with software similar to PC TCP-IP. He would logout correctly but would get a message indicating that the /etc/utmp file could not be written to. Changing the protection of /etc/utmp from 644 to 666 would get rid of the message and the shell. We banned to software but did not get to the bottom of the problem. -- Dave Whitehead (Computer Support Staff) ------------------------------------------------------------------------------- EMAIL:- | TELEPHONE (work):- (work) davew@sees.bangor.ac.uk | +44 1248 382703 (Direct line) (home) 100023.1076@compuserve.com | +44 1248 351151 ext 2703 ------------------------------------------------------------------------------- SNAIL MAIL:- Dave Whitehead School of Electronic Engineering & Computer Systems, University College of North Wales, Dean Street, Bangor LL57 1UT ------------------------------------------------------------------------------