From owner-freebsd-security Tue Jul 24 16:47:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 091F937B401 for ; Tue, 24 Jul 2001 16:47:45 -0700 (PDT) (envelope-from kzaraska@student.uci.agh.edu.pl) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 3A3391C67; Wed, 25 Jul 2001 01:47:26 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id E74835475; Wed, 25 Jul 2001 01:47:25 +0200 (CEST) Date: Wed, 25 Jul 2001 01:47:25 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: Peter Pentchev Cc: Jon Loeliger , security@FreeBSD.ORG Subject: Re: Security Check Diffs Question In-Reply-To: <20010724205228.A16243@ringworld.oblivion.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 24 Jul 2001, Peter Pentchev wrote: > > Here is a `strings /usr/bin/ypchfn`: > > > > www 182 # strings /usr/bin/ypchfn > > /usr/libexec/ld-elf.so.1 > > FreeBSD > > libcrypt.so.2 > > _DYNAMIC > > _init > > __deregister_frame_info > > crypt > > strcmp > > _fini > > _GLOBAL_OFFSET_TABLE_ > > __register_frame_info > > libc.so.4 > > strerror > > execl > > environ > > fprintf > > __progname > > __error > > setgid > > __sF > > execv > > getpwuid > > getpwnam > > atexit > > exit > > strchr > > execvp > > setuid > > _etext > > _edata > > __bss_start > > _end > > 8/u > > QR2cc.wsLFbKU > > root > > ..and just as somebody else pointed out, the last two lines look like > a 13-character DES-encrypted password hash and a username. I think > that the 'new' ypchfn either replaces root's password, or asks for > a password and gives a root shell if the user enters the password > corresponding to that hash. Please correct me if I'm wrong, but... Driven by curiousity I've just done strings /usr/bin/ypchfn on my 4.3-RELEASE machine and got the output which is 346 lines long. So it seems to me that this binary is not a 'trojaned' ypchfn (that is, a ypchfn with extra feature(s) giving root access) but rather a totally new program, rather short, which executable has been somehow "padded" to have the length equal to that of the original ypchfn. Two things seem weird to me here: 1. If it _replaces_ root password, how would the future usage of it by the intruder go undetected? Backdoors should be possibly untraceable I guess. 2. What if ypchfn is run by an unsuspecting user in a good will attempt to change her finger information? She locks out root? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message