Date: Wed, 25 Jul 2001 01:47:25 +0200 (CEST) From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> To: Peter Pentchev <roam@orbitel.bg> Cc: Jon Loeliger <jdl@jdl.com>, security@FreeBSD.ORG Subject: Re: Security Check Diffs Question Message-ID: <Pine.BSF.4.21.0107250125420.489-100000@lhotse.zaraska.dhs.org> In-Reply-To: <20010724205228.A16243@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 24 Jul 2001, Peter Pentchev wrote: > > Here is a `strings /usr/bin/ypchfn`: > > > > www 182 # strings /usr/bin/ypchfn > > /usr/libexec/ld-elf.so.1 > > FreeBSD > > libcrypt.so.2 > > _DYNAMIC > > _init > > __deregister_frame_info > > crypt > > strcmp > > _fini > > _GLOBAL_OFFSET_TABLE_ > > __register_frame_info > > libc.so.4 > > strerror > > execl > > environ > > fprintf > > __progname > > __error > > setgid > > __sF > > execv > > getpwuid > > getpwnam > > atexit > > exit > > strchr > > execvp > > setuid > > _etext > > _edata > > __bss_start > > _end > > 8/u > > QR2cc.wsLFbKU > > root > > ..and just as somebody else pointed out, the last two lines look like > a 13-character DES-encrypted password hash and a username. I think > that the 'new' ypchfn either replaces root's password, or asks for > a password and gives a root shell if the user enters the password > corresponding to that hash. Please correct me if I'm wrong, but... Driven by curiousity I've just done strings /usr/bin/ypchfn on my 4.3-RELEASE machine and got the output which is 346 lines long. So it seems to me that this binary is not a 'trojaned' ypchfn (that is, a ypchfn with extra feature(s) giving root access) but rather a totally new program, rather short, which executable has been somehow "padded" to have the length equal to that of the original ypchfn. Two things seem weird to me here: 1. If it _replaces_ root password, how would the future usage of it by the intruder go undetected? Backdoors should be possibly untraceable I guess. 2. What if ypchfn is run by an unsuspecting user in a good will attempt to change her finger information? She locks out root? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0107250125420.489-100000>