[1225] in linux-security and linux-alert archive
Re: [linux-security] Attempt to break through ftp
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Wed Oct 16 18:31:52 1996
Date: Wed, 16 Oct 1996 17:19:08 -0400
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: Evgeny Stambulchik <fnevgeny@plasma-gate.weizmann.ac.il>
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: Your message of Wed, October 16, 1996 03:10:47 +0200
"ES" == Evgeny Stambulchik <fnevgeny@plasma-gate.weizmann.ac.il> writes:
ES> Welcome to the wonderful world of uid = 0
ES> squidge
ES> /bin/sh
ES> exploit from my forthcoming paper:
ES> Hardening your site - outside -> in
ES> ---
ES> Anybody knows what kind of attack is it? Or is it something new?
This library can be found all over the place, in both source form and as
mouse-droppings left over from break-in attempts: it's libroot.so, a
shared library that replaces the libc getpass() and openlog() calls with
a system() call that runs /bin/sh.
Basic (remote) attack goes as follows:
1) FTP this library into a site's incoming area.
2) Start telnet.
3) Pass the fully-qualified path to the library in the remote system's
FTP incoming area as $LD_PRELOAD via telnet's environment-passing
features.
4) Connect to the remote system.
5) You've now got root on the remote system, without any authentication.
Local attack varies in that you can use /tmp for stashing the library
and then just connect to localhost. (These instructions can all be
found in the readme for the source code.)
This vulnerability has been known for quite awhile now--and has been
fixed for quite some time as well. (It's *very* easy to exploit--it's
one of the easiest break-in methods imaginable--and it has been widely
used on the net.) The fixes have been relatively well-publicized.
Some of the fixes that address this:
1) Fixed (patched) telnetd.
2) Static linking of /bin/login and friends.
3) Login "wrapper" program that cleans up the environment.
--Up.
--
Jeff Uphoff - systems/network admin. | juphoff@nrao.edu
National Radio Astronomy Observatory | juphoff@bofh.org.uk
Charlottesville, VA, USA | jeff.uphoff@linux.org
PGP key available at: http://www.cv.nrao.edu/~juphoff/