I tried to get a copy of the trojaned source, but was unsuccessful.

From what I can gather, there's two likely scenarios involving this
problem.

Scenario #1:
The trojaned code was placed in a section of the source which was only
executed by the user during the initial ./configure ; make ; make
install sequence.

This may not yield root privileges (if the user was intelligent enough to
execute these commands from a standard user account), though this is going
to yield minimally an unprivileged shell from the users account. From
there, it's strictly a matter of time. If an attacker is able to gain
access to a system with an unprivileged account, a local vulnerability
will eventually be uncovered that gives elevated privileges.

Scenario #2:
The trojaned code was placed in the configure that is executed during the
make install sequence. This would likely result in execution by root, as
the default goes to /usr/local. Obviously, this requires administrative
access for successful installation.

If this is the case, obviously, the results are unpredictable. The
connection initiation likely just gave the remote system an administrative
shell to bind to. I'd like to think the attacker was this
unsophisticated, but that would likely be underestimating him/her.

Hal Flynn
UNIX Focus Area Manager
SecurityFocus

"Semper Fidelis"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]