From owner-freebsd-security  Sat Sep  8  8:20:25 2001
Delivered-To: freebsd-security@freebsd.org
Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169])
	by hub.freebsd.org (Postfix) with ESMTP id 4880C37B408
	for <Freebsd-security@FreeBSD.ORG>; Sat,  8 Sep 2001 08:20:21 -0700 (PDT)
Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001)
	id 7AFC91D14; Sat,  8 Sep 2001 16:53:06 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP
	id A4A4C552A; Sat,  8 Sep 2001 16:53:06 +0200 (CEST)
Date: Sat, 8 Sep 2001 16:53:05 +0200 (CEST)
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
X-Sender: kzaraska@lhotse.zaraska.dhs.org
To: Kris Kennaway <kris@obsecurity.org>
Cc: Kristen Doyle <colk@tampabay.rr.com>,
	FreeBSD securit <Freebsd-security@FreeBSD.ORG>
Subject: Re: Remote Shell Trojan
In-Reply-To: <20010908054458.A68778@xor.obsecurity.org>
Message-ID: <Pine.BSF.4.21.0109081639360.856-100000@lhotse.zaraska.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sat, 8 Sep 2001, Kris Kennaway wrote:

> On Sat, Sep 08, 2001 at 08:07:35AM -0400, Kristen Doyle wrote:
> > Can anyone say for certian if FreeBSD is effected either as a base system or
> > under linux compat
> > 
> > the description of the vuln is here
> > http://www.qualys.com/alert/remoteshell.html
> 
> You could do something like this under almost any operating system
> including FreeBSD.  It doesn't exploit a security vulnerability per
> se, it relies on being introduced into the system in another manner.
This is true, however let's consider the following scenario:
 
1. we have a FreeBSD machine with Linux binary support loaded
2. someone runs the trojaned binary
3. if it turns out to work it will try to infect stuff under /bin. If it
was run by root (improbable) it may succeed. However I don't think a
hybrid of a FreeBSD software and Linux viral code would work. IMHO the
infection attempt would rather corrupt each affected file then let the
virus spread. So we may end up with garbage in /bin and nothing more.

Things may however turn out to be more complicated if there are Linux
binaries on the machine and virus finds them. 

Unfortunately I don't have any expendable FreeBSD machine to confirm my
suspitions.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message