bin/94060: Users can hide themselves with a trick

Gabor Kovesdan gabor.kovesdan at t-hosting.hu
Sat Mar 4 03:50:06 PST 2006 

>Number:         94060
>Category:       bin
>Synopsis:       Users can hide themselves with a trick
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Mar 04 11:50:05 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Gabor Kovesdan
>Release:        FreeBSD 5.3-RELEASE-p17 amd64
>Organization:
n/a
>Environment:

>Description:

Here, you can see that I logged in via ssh:

Last login: Sat Mar  4 12:28:28 2006
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.

FreeBSD 5.3-RELEASE-p17 (FREEBSD) #0: Mon Jul  4 20:23:15 CEST 2005
[motd snipped]
tux at server$ w
12:28PM  up 82 days, 21:53, 2 users, load averages: 0.16, 0.07, 0.02
USER             TTY      FROM              LOGIN@  IDLE WHAT
[snip]
tux              p1       catv-5062e7e3.ca 12:28PM     - w

As I type w, I can see myself logged in. The system recognizes my host, too.

Now, here comes the trick. I run login with any parameter, even a non-existent
user. I specify a wrong password and then I log in with my account I used by
ssh login. In this case this login name is tux. I don't have to specify my
password in this case, of course, because I started login with uid tux.

tux at server$ login some_fake_user
Password:
Login incorrect
login: tux
Last login: Sat Mar  4 12:28:54 from catv-5062e7e3.c
Copyright (c) 1992-2004 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.

FreeBSD 5.3-RELEASE-p17 (FREEBSD) #0: Mon Jul  4 20:23:15 CEST 2005
[motd snipped]
tux at server$ w
12:29PM  up 82 days, 21:53, 2 users, load averages: 0.11, 0.06, 0.02
USER             TTY      FROM              LOGIN@  IDLE WHAT
[snip]
tux              p1       -                12:29PM     - w

My host has gone away...
Now, I type exit, to quit from this new session, but my first session
will remain:

tux at server$ exit
logout
tux at server$ w
12:29PM  up 82 days, 21:53, 1 user, load averages: 0.10, 0.06, 0.02
USER             TTY      FROM              LOGIN@  IDLE WHAT
yare             p0       183-61-31.ip.ads 12:03PM    25 -
tux at server$ whoami
tux
tux at server$ who am i
tux              ttyp1    Mar  4 12:29
tux at server$

Now, I disappeard, and I can do anything. Other users won't see that I
even logged in. I don't know whether it's a bug or it's the normal
behavior, but I think it should be changed. I don't think it is critical
but it might be used for some kind of abusing.

I haven't tried it locally, just with ssh, but I suppose it will work locally, too.

>How-To-Repeat:

Follow the steps above.

>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list