[4579] in linux-net channel archive
A SERIOUS security problem!!!!
daemon@ATHENA.MIT.EDU (Brian A. Lantz)
Mon Sep 30 03:27:26 1996
Date: Sun, 29 Sep 1996 16:01:20 -0400 (EDT)
From: "Brian A. Lantz" <brian@lantz.com>
To: linux-net@vger.rutgers.edu
cc: Linus Torvalds <torvalds@cs.helsinki.fi>
The is a package out there, with complete code and instructions on how to
break into most ANY Linux machine (and they boast, most other Unix boxes).
After knowing what to look for, I found SEVERAL WWW and FTP sites with
this info, so the problem is WIDE-SPREAD.
This uses a security hole in telnetd, which allows passing of environment
variables into 'login'. They define 'LD_LIBRARY_PATH' to point to a user
(or incoming ftp) directory containing a new 'libc.so.4' or a
'libroot.so' (also supplied in the cracker's kit), which contains NO
security checking, and logs them in as root.
The package also contains a kit for building your own 'login' executable,
complete with trojan horse!
Check your /bin/login file, and see if it has a recent modification date.
If so, you have probably already been broken into! Also, check your
/etc/passwd file for any OTHER 'root' entries, like 'rewt', etc. ANY
other entry with a user/group of 0 is PROBABLY a backup username left in
by a cracker, in case you found their 'login' executable.
To protect your site NOW, make sure you have a statically linked 'login'
executable! Do it NOW! Go to sunsite.unc.edu (or any other well stocked
site), and get a copy of the poeigl-1.39.tar.gz package. On sinsite it is
in the /pub/Linux/system/Admin/login directory. Edit the Makefile,
and add '-static' to the LIBS line. Do a 'make' and install AT LEAST the
'login' executable.
Do it! NOW.........
SHARE this info with EVERY Linux user with a site available on the
Internet, as almost ALL are (at the moment) easy pickings for crackers!
Anyone with a NEED for the actual crackers kit, can contact me personally. I
am NOT going to make it available EXCEPT on a need to have basis, for
obvious reasons.
To prevent this in the long run, the telnetd executable should be modified,
and possible the login executable to prevent these kinds of security
problems.
-----------------------------------------------------------
Brian A. Lantz http://www.lantz.com brian@lantz.com
REAL PORTION of Microsoft Windows code:
while (memory_available) {
eat_major_portion_of_memory (no_real_reason);
if (feel_like_it)
make_user_THINK (this_is_an_OS);
gates_bank_balance++;
}
