Date: Mon, 12 Jul 1999 10:09:30 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: Mark Newton <newton@atdot.dotat.org> Cc: Mike Tancsa <mike@sentex.net>, security@FreeBSD.ORG, stable@FreeBSD.ORG Subject: Re: 3.x backdoor rootshell security hole Message-ID: <Pine.BSF.3.96.990712100409.9906A-100000@fledge.watson.org> In-Reply-To: <199907121156.VAA05155@atdot.dotat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 12 Jul 1999, Mark Newton wrote: > Mike Tancsa wrote: > > > Has anyone looked at the articled below ? Here is a quote, > > "The following module was a nice idea I had when playing around with the > > proc structure. Load this module, and you can 'SU' without a password. > > If you have enough privileges to load a module, you have enough > privileges to su without a password already (by creating an suid > shell, for example) In fact, if you have permission to modify the running kernel, you may have more privilege than that of a root process, with securelevels.. :-) What the THC posting is really about it hiding compromises on a machine that has been compromised, and leaving backdoors. The title, "Attacking FreeBSD..." is a little misleading, it's more about "Trojaning FreeBSD Once You Already Have Absolute Control of a Machine". And these aren't even very persistent: they have to be reloaded after each boot, meaning changes to configuration files, etc, etc. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Computing Laboratory at Cambridge University Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990712100409.9906A-100000>