xorl %eax, %eax

Fun with w and who

with 7 comments

A lot of times you might have access to a server as an unprivileged user and no execution permissions on useful commands such as:
/usr/bin/w
/usr/bin/who

Of course, if you have access to the login records (utmp/wtmp) log files then you should be fine. In most systems this is by default set to something like this:

xorl@debian:~$ ls -l /var/log/wtmp
-rw-rw-r– 1 root utmp 7296 2009-04-01 14:19 /var/log/wtmp
xorl@debian:~$

Anyway, here is a dummy little code that will help you parse this log file and get information when you normally shouldn’t. I personally used this a couple of months ago on a shell account provider to find a couple of IP addresses for some users ;-)

 1  /*
 2   * Dummy code by xorl for getting infoz when w or who
 3   * aren't available.
 4   *
 5   * gcc guess-who.c -Wall -std=c99 -pedantic -o guess-who
 6   *
 7   */
 8
 9  #include <stdio.h>
10  #include <unistd.h>
11  #include <utmp.h>
12  #include <fcntl.h>
13  #include <sys/types.h>
14
15  #define LOGFILE  "/var/log/wtmp"
16
17  int
18  main(void)
19  {
20          struct utmp info;
21          int ret = 0, fd = -1;
22
23          if ((fd = open(LOGFILE, O_RDONLY)) == -1)
24          {
25              printf("Unable to open %s\n", LOGFILE);
26              return -1;
27          }
28
29          while ((ret = read(fd, &info, sizeof(struct utmp))) != 0 \
30                  && ret != -1)
31          {
32                  if (info.ut_type == USER_PROCESS)
33                    printf("[PID: %d]: %s @ %s using %s\n", \
34                           info.ut_pid, info.ut_user,       \
35                           info.ut_host, info.ut_line);
36          }
37
38          return close(fd);
39  }


This code is extremely simple and I guess that almost everyone should have better utilities in their toolboxes for gathering similar information but anyway. Since I don’t have any cool bug to discuss I’ll post this crap :P

Here is an example output:

xorl@some-host:~$ gcc guess-who.c -Wall -std=c99 -pedantic -o guess-who
xorl@some-host:~$ ./guess-who
[PID: 2435]: root @ XXX.XXX.XXX.XXX using pts/0
[PID: 2562]: xorl @ YYY.YYY.YYY.YYY using pts/0
[PID: 2599]: user @ ZZZ.ZZZ.ZZZ.ZZZ using pts/1
xorl@some-host:~$

If you have any recent cool _public_ bugs that you would like me to write an analysis, send me an email :)
Have fun!

Written by xorl

April 1, 2009 at 11:58

Posted in fun, security

7 Responses

Subscribe to comments with RSS.

  1. wow, are you serious?

    mf

    April 2, 2009 at 03:06

  2. I hope that this is not sarcasm…

    xorl

    April 2, 2009 at 12:04

  3. I came across this:
    http://pulpie.ath.cx/vanished/

    gorlist

    April 3, 2009 at 20:17

  4. Nate

    April 4, 2009 at 02:21

  5. gorlist: nice prog.

    Nate: I just found it easier. Of course last(1) could work too.

    xorl

    April 6, 2009 at 11:09

  6. Or you could just copy the damn command to your home and place +x on it. Maybe?

    synapse

    September 30, 2009 at 15:22

  7. I meant executable :D

    synapse

    September 30, 2009 at 15:22


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s