From owner-freebsd-stable@FreeBSD.ORG Fri Jul 1 14:08:55 2005 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3783316A420 for ; Fri, 1 Jul 2005 14:08:55 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3856D43D98 for ; Fri, 1 Jul 2005 14:06:37 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (kdqted@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j61E6as1092323 for ; Fri, 1 Jul 2005 16:06:36 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j61E6a1f092322; Fri, 1 Jul 2005 16:06:36 +0200 (CEST) (envelope-from olli) Date: Fri, 1 Jul 2005 16:06:36 +0200 (CEST) Message-Id: <200507011406.j61E6a1f092322@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG In-Reply-To: <42C54F34.3070003@epson-europe.com> X-Newsgroups: list.freebsd-stable User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: Possible exploit in 5.4-STABLE X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2005 14:08:55 -0000 Argelo, Jorn wrote: > [...] > This site, of course (almost) completely in Russian, had a file to gain > root access with a modified su utility. [...] > > This is a translation from babelfish: > > Plain replacement of "standard" su for FreeBSD. It makes it possible to > become any user (inc. root) with the introduction of any password. For > this necessary to neglect su with the option "-!". with the use of this > option does not conduct ravine- files. Was tested on FreeBSD 5.4-STABLE. To install such a modified su utility, you need to be root anyway. So this is not an exploit. It could be useful to install hidden backdoors on cracked machines, though, as part of a root kit or similar. You could achieve the same effect by copying /bin/sh to some hidden place and make it setuid- root (which also requires root priviledges in the first place). The advantage of a modified su utility is the fact that su(1) is setuid-root anyway, so it might be more difficult to detect the backdoor. However -- In both cases the modified suid binary should be found and reported by the nightly security cronjob, unless you also modify find(1) and/or other utilities. This is a very good reason to actually _read_ the nightly cron output instead of deleting it immediately or forwar- ding it to /dev/null. ;-) (Also, local IDS tools like tripwire or mtree might be useful for such cases, too.) Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "A language that doesn't have everything is actually easier to program in than some that do." -- Dennis M. Ritchie