Hi all, My site has been cracked yesterday (don't worry it's not about that) and the cracker uploaded a script to delete stuff. Anyway, not important. The script contained a link to a russian site. This site, of course (almost) completely in Russian, had a file to gain root access with a modified su utility. It's maybe not so useful for me to attach the binary, but I'll do it anyway because I don't have anything else but that and a readme file. It didn't seem to work (out of the box) with 5.4-RELEASE though. This is a translation from babelfish: Plain replacement of "standard" su for FreeBSD. It makes it possible to become any user (inc. root) with the introduction of any password. For this necessary to neglect su with the option "-!". with the use of this option does not conduct ravine- files. Was tested on FreeBSD 5.4-STABLE. My apologies if I am sending in something completely useless and not important, but I figured it wouldn't hurt just to make sure. Cheers, Jorn. -------------- next part -------------- A non-text attachment was scrubbed... Name: su.tgz Type: application/octet-stream Size: 7511 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050701/1bed377f/su.obj
Argelo, Jorn <jorn_argelo@epson-europe.com> wrote:
> [...]
> This site, of course (almost) completely in Russian, had a file to gain
> root access with a modified su utility. [...]
>
> This is a translation from babelfish:
>
> Plain replacement of "standard" su for FreeBSD. It makes it
possible to
> become any user (inc. root) with the introduction of any password. For
> this necessary to neglect su with the option "-!". with the use
of this
> option does not conduct ravine- files. Was tested on FreeBSD 5.4-STABLE.
To install such a modified su utility, you need to be root
anyway.
So this is not an exploit. It could be useful to install
hidden backdoors on cracked machines, though, as part of a
root kit or similar. You could achieve the same effect by
copying /bin/sh to some hidden place and make it setuid-
root (which also requires root priviledges in the first
place). The advantage of a modified su utility is the fact
that su(1) is setuid-root anyway, so it might be more
difficult to detect the backdoor.
However -- In both cases the modified suid binary should
be found and reported by the nightly security cronjob,
unless you also modify find(1) and/or other utilities.
This is a very good reason to actually _read_ the nightly
cron output instead of deleting it immediately or forwar-
ding it to /dev/null. ;-)
(Also, local IDS tools like tripwire or mtree might be
useful for such cases, too.)
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 M?nchen
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"A language that doesn't have everything is actually easier
to program in than some that do."
-- Dennis M. Ritchie
[skip]> to attach the binary, but I'll do it anyway because I don't have > anything else but that and a readme file. It didn't seem to work (out of > the box) with 5.4-RELEASE though. > > This is a translation from babelfish: > > Plain replacement of "standard" su for FreeBSD. It makes it possible to > become any user (inc. root) with the introduction of any password. For > this necessary to neglect su with the option "-!". with the use of this > option does not conduct ravine- files. Was tested on FreeBSD 5.4-STABLE. > > My apologies if I am sending in something completely useless and not > important, but I figured it wouldn't hurt just to make sure. > > Cheers,The attached file needs to be setuid to root, so, someone needed to have increased privileges before, in order to install this prg. In this case a one-line C program w/ root setuid would do the same job. -- Patrick Tracanelli patrick @ freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!"