From tux@server.t-hosting.hu  Sat Mar  4 11:42:56 2006
Return-Path: <tux@server.t-hosting.hu>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 87FB416A422
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  4 Mar 2006 11:42:56 +0000 (GMT)
	(envelope-from tux@server.t-hosting.hu)
Received: from server.t-hosting.hu (server.t-hosting.hu [217.20.133.7])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1A1A943D48
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  4 Mar 2006 11:42:55 +0000 (GMT)
	(envelope-from tux@server.t-hosting.hu)
Received: from localhost (localhost [127.0.0.1])
	by server.t-hosting.hu (Postfix) with ESMTP id C62CE9974D5;
	Sat,  4 Mar 2006 12:42:53 +0100 (CET)
Received: from server.t-hosting.hu ([127.0.0.1])
 by localhost (server.t-hosting.hu [127.0.0.1]) (amavisd-new, port 10024)
 with LMTP id 22651-02; Sat,  4 Mar 2006 12:42:50 +0100 (CET)
Received: by server.t-hosting.hu (Postfix, from userid 1001)
	id 609DB997488; Sat,  4 Mar 2006 12:42:50 +0100 (CET)
Message-Id: <20060304114250.609DB997488@server.t-hosting.hu>
Date: Sat,  4 Mar 2006 12:42:50 +0100 (CET)
From: Gabor Kovesdan <gabor.kovesdan@t-hosting.hu>
Reply-To: Gabor Kovesdan <gabor.kovesdan@t-hosting.hu>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Gabor Kovesdan <gabor.kovesdan@t-hosting.hu>
Subject: Users can hide themselves with a trick
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         94060
>Category:       bin
>Synopsis:       Users can hide themselves with a trick
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Mar 04 11:50:05 GMT 2006
>Closed-Date:    Fri Jun 15 11:41:15 GMT 2007
>Last-Modified:  Fri Jun 15 11:41:15 GMT 2007
>Originator:     Gabor Kovesdan
>Release:        FreeBSD 5.3-RELEASE-p17 amd64
>Organization:
n/a
>Environment:

>Description:

Here, you can see that I logged in via ssh:

Last login: Sat Mar  4 12:28:28 2006
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.

FreeBSD 5.3-RELEASE-p17 (FREEBSD) #0: Mon Jul  4 20:23:15 CEST 2005
[motd snipped]
tux@server$ w
12:28PM  up 82 days, 21:53, 2 users, load averages: 0.16, 0.07, 0.02
USER             TTY      FROM              LOGIN@  IDLE WHAT
[snip]
tux              p1       catv-5062e7e3.ca 12:28PM     - w

As I type w, I can see myself logged in. The system recognizes my host, too.

Now, here comes the trick. I run login with any parameter, even a non-existent
user. I specify a wrong password and then I log in with my account I used by
ssh login. In this case this login name is tux. I don't have to specify my
password in this case, of course, because I started login with uid tux.

tux@server$ login some_fake_user
Password:
Login incorrect
login: tux
Last login: Sat Mar  4 12:28:54 from catv-5062e7e3.c
Copyright (c) 1992-2004 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.

FreeBSD 5.3-RELEASE-p17 (FREEBSD) #0: Mon Jul  4 20:23:15 CEST 2005
[motd snipped]
tux@server$ w
12:29PM  up 82 days, 21:53, 2 users, load averages: 0.11, 0.06, 0.02
USER             TTY      FROM              LOGIN@  IDLE WHAT
[snip]
tux              p1       -                12:29PM     - w

My host has gone away...
Now, I type exit, to quit from this new session, but my first session
will remain:

tux@server$ exit
logout
tux@server$ w
12:29PM  up 82 days, 21:53, 1 user, load averages: 0.10, 0.06, 0.02
USER             TTY      FROM              LOGIN@  IDLE WHAT
yare             p0       183-61-31.ip.ads 12:03PM    25 -
tux@server$ whoami
tux
tux@server$ who am i
tux              ttyp1    Mar  4 12:29
tux@server$

Now, I disappeard, and I can do anything. Other users won't see that I
even logged in. I don't know whether it's a bug or it's the normal
behavior, but I think it should be changed. I don't think it is critical
but it might be used for some kind of abusing.

I haven't tried it locally, just with ssh, but I suppose it will work locally, too.

>How-To-Repeat:

Follow the steps above.

>Fix:
>Release-Note:
>Audit-Trail:

From: Daniel Gerzo <danger@rulez.sk>
To: bug-followup@FreeBSD.org, gabor.kovesdan@t-hosting.hu
Cc:  
Subject: Re: bin/94060: Users can hide themselves with a trick
Date: Sat, 4 Mar 2006 17:17:53 +0100

 Hello Gabor,
 
    pretty interesting, but I wasn't able to reproduce the behavior you
    have described. I've been trying to do the steps you wrote in PR,
    on RELENG_6, RELENG_4 and a 5.4-RELEASE (I don't have any 5.3
    running).
 
    On RELENG_6 I can't use `login some_fake_user':
 
    danger@[SC5.daemon ~]$ login asd
    Not a login shell.
    
    On RELENG_4 and 5.4-RELEASE I can do this step. My host is gone, but
    when I exit from the login session, my original session disappears
    too.
 
    Maybe it's only a 5.3-RELEASE issue?
 
 -- 
 Sincerely,
   Daniel Gerzo
 

From: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= <gabor.kovesdan@t-hosting.hu>
To: bug-followup@FreeBSD.org,  gabor.kovesdan@t-hosting.hu
Cc:  
Subject: Re: bin/94060: Users can hide themselves with a trick
Date: Sun, 05 Mar 2006 10:00:35 +0100

 Did you exactly follow the steps? I can reproduce it on RELENG_6.
 
 Gabor Kovesdan

From: "Mars G. Miro" <marsgmiro@gmail.com>
To: bug-followup@FreeBSD.org, gabor.kovesdan@t-hosting.hu, 
	keramida@ceid.upatras.gr
Cc:  
Subject: Re: bin/94060: Users can hide themselves with a trick
Date: Mon, 6 Mar 2006 15:16:24 +0800

 Greetz!
 
 This problem can be 100% reproduced if you're using 'sh', or invoking 'sh' =
 if
 you're using another shell, prior to the 'login' trick, at least in all of =
 the
 machines I have tested and on 5.4X and RELENG_6 as of Mar  3 13:57:47 PHT 2=
 006,
 e.g:
 
 In this case, my shell is csh, but this problem does not manifest itself:
 
 mars@mars:~> ssh XXXXXXXX
 OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e-p1 25 Oct 2004
 debug1: Reading configuration data /etc/ssh/ssh_config
 ...
 
 FreeBSD 6.1-PRERELEASE (GENERIC) #0: Fri Mar  3 13:57:47 PHT 2006
 
 Welcome to FreeBSD!
 
 ...
 
 mars@61XXX:~> finger
 Login            Name                 TTY  Idle  Login  Time   Office  Phon=
 e
 mars             mars                 p0         Mon    14:51
 mars@61XXX:~> login
 login: mars
 Last login: Mon Mar  6 14:51:36 from XXXX
 
 ...
 
 FreeBSD 6.1-PRERELEASE (GENERIC) #0: Fri Mar  3 13:57:47 PHT 2006
 
 Welcome to FreeBSD!
 
 ...
 
 mars@61XXX:~> exit
 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
 logout
 debug1: channel 0: free: client-session, nchannels 1
 Connection to XXXXX closed.
 debug1: Transferred: stdin 0, stdout 0, stderr 34 bytes in 16.9 seconds
 debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 2.0
 debug1: Exit status 0
 
 Here when i 'exit'ed, I got logged off from the remote machine/ssh
 session terminated.
 
 But notice if I spawn an 'sh' shell prior to 'login':
 
 
 mars@mars:~> ssh XXXXXXXX
 OpenSSH_3.8.1p1 FreeBSD-20040419, OpenSSL 0.9.7e-p1 25 Oct 2004
 debug1: Reading configuration data /etc/ssh/ssh_config
 ...
 
 FreeBSD 6.1-PRERELEASE (GENERIC) #0: Fri Mar  3 13:57:47 PHT 2006
 
 Welcome to FreeBSD!
 
 ...
 
 mars@61XXX:~> sh
 $ login
 login: mars
 Last login: Mon Mar  6 14:51:56 from XXXXX
 Copyright (c) 1992-2006 The FreeBSD Project.
 Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
         The Regents of the University of California. All rights reserved.
 
 FreeBSD 6.1-PRERELEASE (GENERIC) #0: Fri Mar  3 13:57:47 PHT 2006
 
 Welcome to FreeBSD!
 
 ...
 
 mars@61XXX:~> finger
 Login            Name                 TTY  Idle  Login  Time   Office  Phon=
 e
 mars             mars                 p0         Mon    14:52
 mars@61XXX:~> w
  2:52PM  up 2 days, 22:30, 1 user, load averages: 0.00, 0.00, 0.00
 USER             TTY      FROM              LOGIN@  IDLE WHAT
 mars             p0       -                 2:52PM     - w
 mars@61XXX:~> exit
 logout
 $ w
  2:52PM  up 2 days, 22:30, 0 users, load averages: 0.00, 0.00, 0.00
 USER             TTY      FROM              LOGIN@  IDLE WHAT
 $ exit
 mars@61XXX:~> w
  2:52PM  up 2 days, 22:30, 0 users, load averages: 0.00, 0.00, 0.00
 USER             TTY      FROM              LOGIN@  IDLE WHAT
 
 At the same time, what shows up in /var/log/auth.log:
 
 Mar  6 14:51:53 61XXX sshd[10866]: syslogin_perform_logout: logout()
 returned an error
 
 mars@61XXX:~> uname -a
 FreeBSD 61XXX.XXXXXXXXXXXXX 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #0:
 Fri Mar  3 13:57:47 PHT 2006   =20
 root@61XXX.XXXXXXX:/usr/obj/usr/src/sys/GENERIC  amd64
 mars@61XXX:~> finger
 No one logged on.
 
 
 
 cheers
 mars

From: Giorgos Keramidas <keramida@freebsd.org>
To: "Mars G. Miro" <marsgmiro@gmail.com>
Cc: bug-followup@freebsd.org, gabor.kovesdan@t-hosting.hu
Subject: Re: bin/94060: Users can hide themselves with a trick
Date: Mon, 6 Mar 2006 18:27:38 +0200

 On 2006-03-06 15:16, "Mars G. Miro" <marsgmiro@gmail.com> wrote:
 > Greetz!
 >
 > This problem can be 100% reproduced if you're using 'sh', or invoking 'sh' if
 > you're using another shell, prior to the 'login' trick, at least in all of the
 > machines I have tested and on 5.4X and RELENG_6 as of Mar  3 13:57:47 PHT 2006,
 > e.g:
 >
 > In this case, my shell is csh, but this problem does not manifest itself:
 
 Nice.  This is probably a side-effect of `login' being a shell builtin
 in csh(1).
 

From: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= <gabor.kovesdan@t-hosting.hu>
To: bug-followup@FreeBSD.org,  gabor.kovesdan@t-hosting.hu
Cc:  
Subject: Re: bin/94060: Users can hide themselves with a trick
Date: Mon, 06 Mar 2006 17:36:56 +0100

 I use bash, and the problem also persists with bash, not only with sh.
 
 Gabor Kovesdan

From: "Mars G. Miro" <marsgmiro@gmail.com>
To: "Giorgos Keramidas" <keramida@freebsd.org>
Cc: bug-followup@freebsd.org, gabor.kovesdan@t-hosting.hu
Subject: Re: bin/94060: Users can hide themselves with a trick
Date: Tue, 7 Mar 2006 10:48:34 +0800

 On 3/7/06, Giorgos Keramidas <keramida@freebsd.org> wrote:
 > On 2006-03-06 15:16, "Mars G. Miro" <marsgmiro@gmail.com> wrote:
 > > Greetz!
 > >
 > > This problem can be 100% reproduced if you're using 'sh', or invoking '=
 sh'
 > if
 > > you're using another shell, prior to the 'login' trick, at least in all=
  of
 > the
 > > machines I have tested and on 5.4X and RELENG_6 as of Mar  3 13:57:47 P=
 HT
 > 2006,
 > > e.g:
 > >
 > > In this case, my shell is csh, but this problem does not manifest itsel=
 f:
 >
 > Nice.  This is probably a side-effect of `login' being a shell builtin
 > in csh(1).
 >
 >
 
 Oh yeah. Sorry I didn't test well enough ;-)
 
 Invoking /usr/bin/login instead of 'login' w/c is just a shell
 built-in, also produces this problem, so it's not an issue w/ w/c
 shell.
 
 Thanks.
 
 cheers
 mars
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Fri Jun 15 11:40:29 UTC 2007 
State-Changed-Why:  
This appears to be a duplicate of bin/76752. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=94060 
>Unformatted:
