Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 24 Jul 2001 17:59:09 -0600 (MDT)
From:      David G Andersen <danderse@cs.utah.edu>
To:        kzaraska@student.uci.agh.edu.pl (Krzysztof Zaraska)
Cc:        roam@orbitel.bg (Peter Pentchev), jdl@jdl.com (Jon Loeliger), security@FreeBSD.ORG
Subject:   Re: Security Check Diffs Question
Message-ID:  <200107242359.f6ONx9U09628@faith.cs.utah.edu>
In-Reply-To: <Pine.BSF.4.21.0107250125420.489-100000@lhotse.zaraska.dhs.org> from "Krzysztof Zaraska" at Jul 25, 2001 01:47:25 AM
next in thread | previous in thread | raw e-mail | index | archive | help 
Lo and behold, Krzysztof Zaraska once said:
> 
> Driven by curiousity I've just done strings /usr/bin/ypchfn on my
> 4.3-RELEASE machine and got the output which is 346 lines long. So it
> seems to me that this binary is not a 'trojaned' ypchfn (that is, a ypchfn
> with extra feature(s) giving root access) but rather a totally new
> program, rather short, which executable has been somehow "padded" to have
> the length  equal to that of the original ypchfn. Two things seem weird to
> me here:
> 
> 1. If it _replaces_ root password, how would the future usage of it by the
> intruder go undetected? Backdoors should be possibly untraceable I guess.

  It's probably not what you think.

> 2. What if ypchfn is run by an unsuspecting user in a good will attempt to
> change her finger information? She locks out root?

  ypchfn is not used to change root's password, especially since
almost nobody uses YP for disting out root's password (hint:  this
would be exceptionally stupid).

  It's probably a simple trojan with a pretty interface on it that
says, (if username == "root", ask for their password.  If crypt(input) ==
that stored password, grant access to the system).

  If it's clever, it'd shell out to the real ypchfn if that failed.
Kind of like a trojaned login binary.  A teensy bit of gdb'ing could
probably determine if this is correct or not.

  -Dave

-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107242359.f6ONx9U09628>