Possible exploit in 5.4-STABLE
Oliver Fromme
olli at lurza.secnetix.de
Fri Jul 1 14:08:55 GMT 2005
Argelo, Jorn <jorn_argelo at epson-europe.com> wrote:
> [...]
> This site, of course (almost) completely in Russian, had a file to gain
> root access with a modified su utility. [...]
>
> This is a translation from babelfish:
>
> Plain replacement of "standard" su for FreeBSD. It makes it possible to
> become any user (inc. root) with the introduction of any password. For
> this necessary to neglect su with the option "-!". with the use of this
> option does not conduct ravine- files. Was tested on FreeBSD 5.4-STABLE.
To install such a modified su utility, you need to be root
anyway.
So this is not an exploit. It could be useful to install
hidden backdoors on cracked machines, though, as part of a
root kit or similar. You could achieve the same effect by
copying /bin/sh to some hidden place and make it setuid-
root (which also requires root priviledges in the first
place). The advantage of a modified su utility is the fact
that su(1) is setuid-root anyway, so it might be more
difficult to detect the backdoor.
However -- In both cases the modified suid binary should
be found and reported by the nightly security cronjob,
unless you also modify find(1) and/or other utilities.
This is a very good reason to actually _read_ the nightly
cron output instead of deleting it immediately or forwar-
ding it to /dev/null. ;-)
(Also, local IDS tools like tripwire or mtree might be
useful for such cases, too.)
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"A language that doesn't have everything is actually easier
to program in than some that do."
-- Dennis M. Ritchie
More information about the freebsd-stable
mailing list