Possible exploit in 5.4-STABLE
Hi all, My site has been cracked yesterday (don't worry it's not about that) and the cracker uploaded a script to delete stuff. Anyway, not important. The script contained a link to a russian site. This site, of course (almost) completely in Russian, had a file to gain root access with a modified su utility. It's maybe not so useful for me to attach the binary, but I'll do it anyway because I don't have anything else but that and a readme file. It didn't seem to work (out of the box) with 5.4-RELEASE though. This is a translation from babelfish: Plain replacement of standard su for FreeBSD. It makes it possible to become any user (inc. root) with the introduction of any password. For this necessary to neglect su with the option -!. with the use of this option does not conduct ravine- files. Was tested on FreeBSD 5.4-STABLE. My apologies if I am sending in something completely useless and not important, but I figured it wouldn't hurt just to make sure. Cheers, Jorn. su.tgz Description: Binary data ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Possible exploit in 5.4-STABLE
Argelo, Jorn [EMAIL PROTECTED] wrote: [...] This site, of course (almost) completely in Russian, had a file to gain root access with a modified su utility. [...] This is a translation from babelfish: Plain replacement of standard su for FreeBSD. It makes it possible to become any user (inc. root) with the introduction of any password. For this necessary to neglect su with the option -!. with the use of this option does not conduct ravine- files. Was tested on FreeBSD 5.4-STABLE. To install such a modified su utility, you need to be root anyway. So this is not an exploit. It could be useful to install hidden backdoors on cracked machines, though, as part of a root kit or similar. You could achieve the same effect by copying /bin/sh to some hidden place and make it setuid- root (which also requires root priviledges in the first place). The advantage of a modified su utility is the fact that su(1) is setuid-root anyway, so it might be more difficult to detect the backdoor. However -- In both cases the modified suid binary should be found and reported by the nightly security cronjob, unless you also modify find(1) and/or other utilities. This is a very good reason to actually _read_ the nightly cron output instead of deleting it immediately or forwar- ding it to /dev/null. ;-) (Also, local IDS tools like tripwire or mtree might be useful for such cases, too.) Best regards Oliver -- Oliver Fromme, secnetix GmbH Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. A language that doesn't have everything is actually easier to program in than some that do. -- Dennis M. Ritchie ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Possible exploit in 5.4-STABLE
[skip] to attach the binary, but I'll do it anyway because I don't have anything else but that and a readme file. It didn't seem to work (out of the box) with 5.4-RELEASE though. This is a translation from babelfish: Plain replacement of standard su for FreeBSD. It makes it possible to become any user (inc. root) with the introduction of any password. For this necessary to neglect su with the option -!. with the use of this option does not conduct ravine- files. Was tested on FreeBSD 5.4-STABLE. My apologies if I am sending in something completely useless and not important, but I figured it wouldn't hurt just to make sure. Cheers, The attached file needs to be setuid to root, so, someone needed to have increased privileges before, in order to install this prg. In this case a one-line C program w/ root setuid would do the same job. -- Patrick Tracanelli patrick @ freebsdbrasil.com.br Long live Hanin Elias, Kim Deal! ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Possible exploit in 5.4-STABLE
Oliver Fromme wrote: Argelo, Jorn [EMAIL PROTECTED] wrote: [...] This site, of course (almost) completely in Russian, had a file to gain root access with a modified su utility. [...] This is a translation from babelfish: Plain replacement of standard su for FreeBSD. It makes it possible to become any user (inc. root) with the introduction of any password. For this necessary to neglect su with the option -!. with the use of this option does not conduct ravine- files. Was tested on FreeBSD 5.4-STABLE. To install such a modified su utility, you need to be root anyway. So this is not an exploit. It could be useful to install hidden backdoors on cracked machines, though, as part of a root kit or similar. You could achieve the same effect by copying /bin/sh to some hidden place and make it setuid- root (which also requires root priviledges in the first place). The advantage of a modified su utility is the fact that su(1) is setuid-root anyway, so it might be more difficult to detect the backdoor. However -- In both cases the modified suid binary should be found and reported by the nightly security cronjob, unless you also modify find(1) and/or other utilities. This is a very good reason to actually _read_ the nightly cron output instead of deleting it immediately or forwar- ding it to /dev/null. ;-) (Also, local IDS tools like tripwire or mtree might be useful for such cases, too.) Best regards Oliver Thank you for clearing this up Oliver. I just wanted to make sure it's a harmless thing. Better safe then sorry ;) Cheers, Jorn. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Possible exploit in 5.4-STABLE
What are the chances of a base 5.4-RELEASE system with PF and securelevel 2 and updated packages being cracked and rooted? Is this something that occurs every day? Or is it difficult? ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Possible exploit in 5.4-STABLE
On Fri, Jul 01, 2005 at 02:02:16PM -0400, Matt Juszczak wrote: What are the chances of a base 5.4-RELEASE system with PF and securelevel 2 and updated packages being cracked and rooted? Is this something that occurs every day? Or is it difficult? I don't know of any root exploits in 5.4. Kris pgpy9Yf7At8hN.pgp Description: PGP signature
