From owner-freebsd-security  Mon Jul 12  7:10: 5 1999
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8A8C814C30; Mon, 12 Jul 1999 07:10:00 -0700 (PDT)
	(envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id KAA09930;
	Mon, 12 Jul 1999 10:09:30 -0400 (EDT)
	(envelope-from robert@cyrus.watson.org)
Date: Mon, 12 Jul 1999 10:09:30 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Mark Newton <newton@atdot.dotat.org>
Cc: Mike Tancsa <mike@sentex.net>, security@FreeBSD.ORG,
	stable@FreeBSD.ORG
Subject: Re: 3.x backdoor rootshell security hole
In-Reply-To: <199907121156.VAA05155@atdot.dotat.org>
Message-ID: <Pine.BSF.3.96.990712100409.9906A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 12 Jul 1999, Mark Newton wrote:

> Mike Tancsa wrote:
> 
>  > Has anyone looked at the articled below ? Here is a quote,
>  > "The following module was a nice idea I had when playing around with the
>  > proc structure. Load this module, and you can 'SU' without a password.
> 
> If you have enough privileges to load a module, you have enough 
> privileges to su without a password already (by creating an suid
> shell, for example)

In fact, if you have permission to modify the running kernel, you may have
more privilege than that of a root process, with securelevels.. :-)  What
the THC posting is really about it hiding compromises on a machine that
has been compromised, and leaving backdoors.  The title, "Attacking
FreeBSD..." is a little misleading, it's more about "Trojaning FreeBSD
Once You Already Have Absolute Control of a Machine".  And these aren't
even very persistent: they have to be reloaded after each boot, meaning
changes to configuration files, etc, etc.  

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Computing Laboratory at Cambridge University
Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message