From owner-freebsd-security  Tue Jul 24 16:59:18 2001
Delivered-To: freebsd-security@freebsd.org
Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100])
	by hub.freebsd.org (Postfix) with ESMTP id 0F77137B406
	for <security@FreeBSD.ORG>; Tue, 24 Jul 2001 16:59:15 -0700 (PDT)
	(envelope-from danderse@cs.utah.edu)
Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108])
	by wrath.cs.utah.edu (8.11.1/8.11.1) with ESMTP id f6ONxAX18969;
	Tue, 24 Jul 2001 17:59:10 -0600 (MDT)
From: David G Andersen <danderse@cs.utah.edu>
Received: (from danderse@localhost)
	by faith.cs.utah.edu (8.11.1/8.11.1) id f6ONx9U09628;
	Tue, 24 Jul 2001 17:59:09 -0600 (MDT)
Message-Id: <200107242359.f6ONx9U09628@faith.cs.utah.edu>
Subject: Re: Security Check Diffs Question
To: kzaraska@student.uci.agh.edu.pl (Krzysztof Zaraska)
Date: Tue, 24 Jul 2001 17:59:09 -0600 (MDT)
Cc: roam@orbitel.bg (Peter Pentchev), jdl@jdl.com (Jon Loeliger),
	security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.4.21.0107250125420.489-100000@lhotse.zaraska.dhs.org> from "Krzysztof Zaraska" at Jul 25, 2001 01:47:25 AM
X-Mailer: ELM [version 2.5 PL2]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Lo and behold, Krzysztof Zaraska once said:
> 
> Driven by curiousity I've just done strings /usr/bin/ypchfn on my
> 4.3-RELEASE machine and got the output which is 346 lines long. So it
> seems to me that this binary is not a 'trojaned' ypchfn (that is, a ypchfn
> with extra feature(s) giving root access) but rather a totally new
> program, rather short, which executable has been somehow "padded" to have
> the length  equal to that of the original ypchfn. Two things seem weird to
> me here:
> 
> 1. If it _replaces_ root password, how would the future usage of it by the
> intruder go undetected? Backdoors should be possibly untraceable I guess.

  It's probably not what you think.

> 2. What if ypchfn is run by an unsuspecting user in a good will attempt to
> change her finger information? She locks out root?

  ypchfn is not used to change root's password, especially since
almost nobody uses YP for disting out root's password (hint:  this
would be exceptionally stupid).

  It's probably a simple trojan with a pretty interface on it that
says, (if username == "root", ask for their password.  If crypt(input) ==
that stored password, grant access to the system).

  If it's clever, it'd shell out to the real ypchfn if that failed.
Kind of like a trojaned login binary.  A teensy bit of gdb'ing could
probably determine if this is correct or not.

  -Dave

-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message