From owner-freebsd-stable@FreeBSD.ORG Fri Jul 1 16:40:40 2005 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC62916A41C for ; Fri, 1 Jul 2005 16:40:40 +0000 (GMT) (envelope-from jorn@wcborstel.nl) Received: from post-23.mail.nl.demon.net (post-23.mail.nl.demon.net [194.159.73.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB59F43D4C for ; Fri, 1 Jul 2005 16:40:40 +0000 (GMT) (envelope-from jorn@wcborstel.nl) Received: from wcborstel.demon.nl ([82.161.134.53]:19541 helo=[192.168.1.4]) by post-23.mail.nl.demon.net with esmtp (Exim 4.43) id 1DoOZD-000G2z-BG for freebsd-stable@FreeBSD.ORG; Fri, 01 Jul 2005 16:40:39 +0000 Message-ID: <42C571E0.8070104@wcborstel.nl> Date: Fri, 01 Jul 2005 18:40:00 +0200 From: Jorn Argelo User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-stable@FreeBSD.ORG References: <200507011406.j61E6a1f092322@lurza.secnetix.de> In-Reply-To: <200507011406.j61E6a1f092322@lurza.secnetix.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Possible exploit in 5.4-STABLE X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2005 16:40:41 -0000 Oliver Fromme wrote: >Argelo, Jorn wrote: > > [...] > > This site, of course (almost) completely in Russian, had a file to gain > > root access with a modified su utility. [...] > > > > This is a translation from babelfish: > > > > Plain replacement of "standard" su for FreeBSD. It makes it possible to > > become any user (inc. root) with the introduction of any password. For > > this necessary to neglect su with the option "-!". with the use of this > > option does not conduct ravine- files. Was tested on FreeBSD 5.4-STABLE. > >To install such a modified su utility, you need to be root >anyway. > >So this is not an exploit. It could be useful to install >hidden backdoors on cracked machines, though, as part of a >root kit or similar. You could achieve the same effect by >copying /bin/sh to some hidden place and make it setuid- >root (which also requires root priviledges in the first >place). The advantage of a modified su utility is the fact >that su(1) is setuid-root anyway, so it might be more >difficult to detect the backdoor. > >However -- In both cases the modified suid binary should >be found and reported by the nightly security cronjob, >unless you also modify find(1) and/or other utilities. >This is a very good reason to actually _read_ the nightly >cron output instead of deleting it immediately or forwar- >ding it to /dev/null. ;-) > >(Also, local IDS tools like tripwire or mtree might be >useful for such cases, too.) > >Best regards > Oliver > > > Thank you for clearing this up Oliver. I just wanted to make sure it's a harmless thing. Better safe then sorry ;) Cheers, Jorn.