Home page logo

bugtraq logo Bugtraq mailing list archives

Re: vulnerability in mail.local
From: bert hubert <ahu () DS9A NL>
Date: Mon, 6 Nov 2000 20:02:24 +0100

On Mon, Nov 06, 2000 at 08:40:04AM +0100, Rogier Wolff wrote:

real shell. Until he executes whatever he normally does to become

Once you own the user-account of the administrator, you can work
yourself up to "root".

However, as long as you prevent login as root via telnet or ssh to localhost
[1], such a trojan 'su' will give itself away. An exploited su will ask for
a password, but has no way to pass that password onto the real su, so as to
prevent detection. All common password checking programs take care to open
/dev/tty instead of stdin [2].

It can however report that your password was entered incorrectly, and then
spawn su, allowing you to retry.

So: if you ever find that you are sure that you entered the correct
password, but su doesn't believe you, your account may have been
compromised, as well as the account you tried to 'su' into.


Bert Hubert

(shouts out to Hardbeat who resonated with me during an IRC discussion
/regarding dev/tty and intercepting passwords)

[1] if you allow root logins via ssh of telnet, the trojanned su may spawn a
telnet session to localhost, enter root, and then wait for your password.
telnet does open stdin, and can be fooled this way.

[2] Getting input into /dev/tty requires wizardry that's not supposed to be
available to general users

PowerDNS                     Versatile DNS Services
Trilab                       The Technology People
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]