From owner-freebsd-security  Wed Jul 25  7:24:26 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39])
	by hub.freebsd.org (Postfix) with SMTP id 46AC137B764
	for <security@FreeBSD.ORG>; Wed, 25 Jul 2001 07:21:01 -0700 (PDT)
	(envelope-from roam@orbitel.bg)
Received: (qmail 45471 invoked by uid 1000); 25 Jul 2001 14:20:12 -0000
Date: Wed, 25 Jul 2001 17:20:12 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
Cc: David G Andersen <danderse@cs.utah.edu>,
	Jon Loeliger <jdl@jdl.com>, security@FreeBSD.ORG
Subject: Re: Security Check Diffs Question
Message-ID: <20010725172011.A44945@ringworld.oblivion.bg>
Mail-Followup-To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>,
	David G Andersen <danderse@cs.utah.edu>, Jon Loeliger <jdl@jdl.com>,
	security@FreeBSD.ORG
References: <200107242359.f6ONx9U09628@faith.cs.utah.edu> <Pine.BSF.4.21.0107250806460.1102-100000@lhotse.zaraska.dhs.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.21.0107250806460.1102-100000@lhotse.zaraska.dhs.org>; from kzaraska@student.uci.agh.edu.pl on Wed, Jul 25, 2001 at 08:36:31AM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Jul 25, 2001 at 08:36:31AM +0200, Krzysztof Zaraska wrote:
> On Tue, 24 Jul 2001, David G Andersen wrote:
> 
> >   It's probably a simple trojan with a pretty interface on it that
> > says, (if username == "root", ask for their password.  If crypt(input) ==
> > that stored password, grant access to the system).
> I agree that this is the way this thing should work, but I was wondering:
> I string original ypchfn and I see a bunch of lines like "no uid for %s"
> resembling arguments for printf() so I guess that is ypchfn's user
> interface. But in this trojan I can't see neither these lines nor
> something resembling a path to the original ypchfn. So, my question is:
> how does it masquerade to the user as original ypchfn not having it's user
> interface inside? Or, maybe, the trojan contains ypchfn-like user
> interface but it cannot be seen with by running strings on it?

It does not need to contain any user interface to masquerade as
the original.  All it needs to do is check if it has been executed
with a single arugment - a username, e.g. 'root', if this username
is indeed the username it expects (to activate the trojan behavior),
and if so, ask for password.  If it has not been executed as ypchfn,
or if there is more than one argument, or if the argument is not
what it expects, all it needs to do is execute the original ypchfn.
It knows that chpass, chfn etc are still hardlinks to the original
binary, so it executes one of those - and voila, here's your "real"
ypchfn for all to use, except for those who know how to invoke it.

Of course, this particular trojan might not behave this way; I have
only outlined one possible type of trojans masquerading as normal
system utilities, and occassionally making use of the setuid bit.

G'luck,
Peter

-- 
I had to translate this sentence into English because I could not read the original Sanskrit.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message