Possible exploit in 5.4-STABLE
Jorn Argelo
jorn at wcborstel.nl
Fri Jul 1 16:40:41 GMT 2005
Oliver Fromme wrote:
>Argelo, Jorn <jorn_argelo at epson-europe.com> wrote:
> > [...]
> > This site, of course (almost) completely in Russian, had a file to gain
> > root access with a modified su utility. [...]
> >
> > This is a translation from babelfish:
> >
> > Plain replacement of "standard" su for FreeBSD. It makes it possible to
> > become any user (inc. root) with the introduction of any password. For
> > this necessary to neglect su with the option "-!". with the use of this
> > option does not conduct ravine- files. Was tested on FreeBSD 5.4-STABLE.
>
>To install such a modified su utility, you need to be root
>anyway.
>
>So this is not an exploit. It could be useful to install
>hidden backdoors on cracked machines, though, as part of a
>root kit or similar. You could achieve the same effect by
>copying /bin/sh to some hidden place and make it setuid-
>root (which also requires root priviledges in the first
>place). The advantage of a modified su utility is the fact
>that su(1) is setuid-root anyway, so it might be more
>difficult to detect the backdoor.
>
>However -- In both cases the modified suid binary should
>be found and reported by the nightly security cronjob,
>unless you also modify find(1) and/or other utilities.
>This is a very good reason to actually _read_ the nightly
>cron output instead of deleting it immediately or forwar-
>ding it to /dev/null. ;-)
>
>(Also, local IDS tools like tripwire or mtree might be
>useful for such cases, too.)
>
>Best regards
> Oliver
>
>
>
Thank you for clearing this up Oliver. I just wanted to make sure it's a
harmless thing. Better safe then sorry ;)
Cheers,
Jorn.
More information about the freebsd-stable
mailing list