Date: Wed, 25 Jul 2001 17:20:12 +0300 From: Peter Pentchev <roam@orbitel.bg> To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> Cc: David G Andersen <danderse@cs.utah.edu>, Jon Loeliger <jdl@jdl.com>, security@FreeBSD.ORG Subject: Re: Security Check Diffs Question Message-ID: <20010725172011.A44945@ringworld.oblivion.bg> In-Reply-To: <Pine.BSF.4.21.0107250806460.1102-100000@lhotse.zaraska.dhs.org>; from kzaraska@student.uci.agh.edu.pl on Wed, Jul 25, 2001 at 08:36:31AM %2B0200 References: <200107242359.f6ONx9U09628@faith.cs.utah.edu> <Pine.BSF.4.21.0107250806460.1102-100000@lhotse.zaraska.dhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 25, 2001 at 08:36:31AM +0200, Krzysztof Zaraska wrote: > On Tue, 24 Jul 2001, David G Andersen wrote: > > > It's probably a simple trojan with a pretty interface on it that > > says, (if username == "root", ask for their password. If crypt(input) == > > that stored password, grant access to the system). > I agree that this is the way this thing should work, but I was wondering: > I string original ypchfn and I see a bunch of lines like "no uid for %s" > resembling arguments for printf() so I guess that is ypchfn's user > interface. But in this trojan I can't see neither these lines nor > something resembling a path to the original ypchfn. So, my question is: > how does it masquerade to the user as original ypchfn not having it's user > interface inside? Or, maybe, the trojan contains ypchfn-like user > interface but it cannot be seen with by running strings on it? It does not need to contain any user interface to masquerade as the original. All it needs to do is check if it has been executed with a single arugment - a username, e.g. 'root', if this username is indeed the username it expects (to activate the trojan behavior), and if so, ask for password. If it has not been executed as ypchfn, or if there is more than one argument, or if the argument is not what it expects, all it needs to do is execute the original ypchfn. It knows that chpass, chfn etc are still hardlinks to the original binary, so it executes one of those - and voila, here's your "real" ypchfn for all to use, except for those who know how to invoke it. Of course, this particular trojan might not behave this way; I have only outlined one possible type of trojans masquerading as normal system utilities, and occassionally making use of the setuid bit. G'luck, Peter -- I had to translate this sentence into English because I could not read the original Sanskrit. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010725172011.A44945>