Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Hal Flynn (flynnsecurityfocus.com)
Date: Mon May 27 2002 - 10:33:33 CDT
I tried to get a copy of the trojaned source, but was unsuccessful.
From what I can gather, there's two likely scenarios involving this
The trojaned code was placed in a section of the source which was only
executed by the user during the initial ./configure ; make ; make
This may not yield root privileges (if the user was intelligent enough to
execute these commands from a standard user account), though this is going
to yield minimally an unprivileged shell from the users account. From
there, it's strictly a matter of time. If an attacker is able to gain
access to a system with an unprivileged account, a local vulnerability
will eventually be uncovered that gives elevated privileges.
The trojaned code was placed in the configure that is executed during the
make install sequence. This would likely result in execution by root, as
the default goes to /usr/local. Obviously, this requires administrative
access for successful installation.
If this is the case, obviously, the results are unpredictable. The
connection initiation likely just gave the remote system an administrative
shell to bind to. I'd like to think the attacker was this
unsophisticated, but that would likely be underestimating him/her.
UNIX Focus Area Manager