Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 Jul 2001 01:47:25 +0200 (CEST)
From:      Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
To:        Peter Pentchev <roam@orbitel.bg>
Cc:        Jon Loeliger <jdl@jdl.com>, security@FreeBSD.ORG
Subject:   Re: Security Check Diffs Question
Message-ID:  <Pine.BSF.4.21.0107250125420.489-100000@lhotse.zaraska.dhs.org>
In-Reply-To: <20010724205228.A16243@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 24 Jul 2001, Peter Pentchev wrote:

> > Here is a `strings /usr/bin/ypchfn`:
> > 
> >     www 182 # strings /usr/bin/ypchfn
> >     /usr/libexec/ld-elf.so.1
> >     FreeBSD
> >     libcrypt.so.2
> >     _DYNAMIC
> >     _init
> >     __deregister_frame_info
> >     crypt
> >     strcmp
> >     _fini
> >     _GLOBAL_OFFSET_TABLE_
> >     __register_frame_info
> >     libc.so.4
> >     strerror
> >     execl
> >     environ
> >     fprintf
> >     __progname
> >     __error
> >     setgid
> >     __sF
> >     execv
> >     getpwuid
> >     getpwnam
> >     atexit
> >     exit
> >     strchr
> >     execvp
> >     setuid
> >     _etext
> >     _edata
> >     __bss_start
> >     _end
> >     8/u
> >     QR2cc.wsLFbKU
> >     root
> 
> ..and just as somebody else pointed out, the last two lines look like
> a 13-character DES-encrypted password hash and a username.  I think
> that the 'new' ypchfn either replaces root's password, or asks for
> a password and gives a root shell if the user enters the password
> corresponding to that hash.
Please correct me if I'm wrong, but...

Driven by curiousity I've just done strings /usr/bin/ypchfn on my
4.3-RELEASE machine and got the output which is 346 lines long. So it
seems to me that this binary is not a 'trojaned' ypchfn (that is, a ypchfn
with extra feature(s) giving root access) but rather a totally new
program, rather short, which executable has been somehow "padded" to have
the length  equal to that of the original ypchfn. Two things seem weird to
me here:

1. If it _replaces_ root password, how would the future usage of it by the
intruder go undetected? Backdoors should be possibly untraceable I guess.

2. What if ypchfn is run by an unsuspecting user in a good will attempt to
change her finger information? She locks out root?




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0107250125420.489-100000>