Date: Tue, 24 Jul 2001 17:59:09 -0600 (MDT) From: David G Andersen <danderse@cs.utah.edu> To: kzaraska@student.uci.agh.edu.pl (Krzysztof Zaraska) Cc: roam@orbitel.bg (Peter Pentchev), jdl@jdl.com (Jon Loeliger), security@FreeBSD.ORG Subject: Re: Security Check Diffs Question Message-ID: <200107242359.f6ONx9U09628@faith.cs.utah.edu> In-Reply-To: <Pine.BSF.4.21.0107250125420.489-100000@lhotse.zaraska.dhs.org> from "Krzysztof Zaraska" at Jul 25, 2001 01:47:25 AM
next in thread | previous in thread | raw e-mail | index | archive | help
Lo and behold, Krzysztof Zaraska once said: > > Driven by curiousity I've just done strings /usr/bin/ypchfn on my > 4.3-RELEASE machine and got the output which is 346 lines long. So it > seems to me that this binary is not a 'trojaned' ypchfn (that is, a ypchfn > with extra feature(s) giving root access) but rather a totally new > program, rather short, which executable has been somehow "padded" to have > the length equal to that of the original ypchfn. Two things seem weird to > me here: > > 1. If it _replaces_ root password, how would the future usage of it by the > intruder go undetected? Backdoors should be possibly untraceable I guess. It's probably not what you think. > 2. What if ypchfn is run by an unsuspecting user in a good will attempt to > change her finger information? She locks out root? ypchfn is not used to change root's password, especially since almost nobody uses YP for disting out root's password (hint: this would be exceptionally stupid). It's probably a simple trojan with a pretty interface on it that says, (if username == "root", ask for their password. If crypt(input) == that stored password, grant access to the system). If it's clever, it'd shell out to the real ypchfn if that failed. Kind of like a trojaned login binary. A teensy bit of gdb'ing could probably determine if this is correct or not. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107242359.f6ONx9U09628>