Date: Fri, 01 Jul 2005 18:40:00 +0200 From: Jorn Argelo <jorn@wcborstel.nl> To: freebsd-stable@FreeBSD.ORG Subject: Re: Possible exploit in 5.4-STABLE Message-ID: <42C571E0.8070104@wcborstel.nl> In-Reply-To: <200507011406.j61E6a1f092322@lurza.secnetix.de> References: <200507011406.j61E6a1f092322@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Oliver Fromme wrote: >Argelo, Jorn <jorn_argelo@epson-europe.com> wrote: > > [...] > > This site, of course (almost) completely in Russian, had a file to gain > > root access with a modified su utility. [...] > > > > This is a translation from babelfish: > > > > Plain replacement of "standard" su for FreeBSD. It makes it possible to > > become any user (inc. root) with the introduction of any password. For > > this necessary to neglect su with the option "-!". with the use of this > > option does not conduct ravine- files. Was tested on FreeBSD 5.4-STABLE. > >To install such a modified su utility, you need to be root >anyway. > >So this is not an exploit. It could be useful to install >hidden backdoors on cracked machines, though, as part of a >root kit or similar. You could achieve the same effect by >copying /bin/sh to some hidden place and make it setuid- >root (which also requires root priviledges in the first >place). The advantage of a modified su utility is the fact >that su(1) is setuid-root anyway, so it might be more >difficult to detect the backdoor. > >However -- In both cases the modified suid binary should >be found and reported by the nightly security cronjob, >unless you also modify find(1) and/or other utilities. >This is a very good reason to actually _read_ the nightly >cron output instead of deleting it immediately or forwar- >ding it to /dev/null. ;-) > >(Also, local IDS tools like tripwire or mtree might be >useful for such cases, too.) > >Best regards > Oliver > > > Thank you for clearing this up Oliver. I just wanted to make sure it's a harmless thing. Better safe then sorry ;) Cheers, Jorn.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42C571E0.8070104>