[13027] in bugtraq
Announcement: Solaris loadable kernel module backdoor
daemon@ATHENA.MIT.EDU (plasmoid)
Tue Dec 21 15:08:32 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9912202342090.26215-100000@oops.spline.inf.fu-berlin.de>
Date: Mon, 20 Dec 1999 23:43:46 +0100
Reply-To: plasmoid <plasmoid@PIMMEL.COM>
From: plasmoid <plasmoid@PIMMEL.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
I'd like to announce in addition to the two THC articles covering Linux
and FreeBSD loadable kernel module backdoors the first public loadable
kernel module backdoor for Solaris.
The module features:
- File hiding
- File content and directory hiding
- Switch to toggle file content and directory hiding
- Process hiding (structured proc)
- Promiscous flag hiding
- Converting magic uid to root uid
- Execution redirecting
It has been successfully tested on the following operating systems:
Solaris7 x86 / sparc / ultrasparc
Solaris 2.6 ultrasparc
The module can be directly downloaded from
--- http://www.infowar.co.uk/thc/files/thc/slkm-1.0.tar.gz
A complete documentation of the kernel module's functions can be found in
my article "Attacking Solaris with loadable kernel modules" at
--- http://www.infowar.co.uk/thc
Regards,
Plasmoid / THC
http://www.infowar.co.uk/thc
http://www.pimmel.com
