[17528] in bugtraq
Re: vulnerability in mail.local
daemon@ATHENA.MIT.EDU (bert hubert)
Mon Nov 6 19:15:13 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20001106200224.A21128@home.ds9a.nl>
Date: Mon, 6 Nov 2000 20:02:24 +0100
Reply-To: bert hubert <ahu@DS9A.NL>
From: bert hubert <ahu@DS9A.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200011060740.IAA22216@cave.bitwizard.nl>; from
R.E.Wolff@BITWIZARD.NL on Mon, Nov 06, 2000 at 08:40:04AM +0100
On Mon, Nov 06, 2000 at 08:40:04AM +0100, Rogier Wolff wrote:
> real shell. Until he executes whatever he normally does to become
> root.
>
> Once you own the user-account of the administrator, you can work
> yourself up to "root".
However, as long as you prevent login as root via telnet or ssh to localhost
[1], such a trojan 'su' will give itself away. An exploited su will ask for
a password, but has no way to pass that password onto the real su, so as to
prevent detection. All common password checking programs take care to open
/dev/tty instead of stdin [2].
It can however report that your password was entered incorrectly, and then
spawn su, allowing you to retry.
So: if you ever find that you are sure that you entered the correct
password, but su doesn't believe you, your account may have been
compromised, as well as the account you tried to 'su' into.
Regards,
Bert Hubert
(shouts out to Hardbeat who resonated with me during an IRC discussion
/regarding dev/tty and intercepting passwords)
[1] if you allow root logins via ssh of telnet, the trojanned su may spawn a
telnet session to localhost, enter root, and then wait for your password.
telnet does open stdin, and can be fooled this way.
[2] Getting input into /dev/tty requires wizardry that's not supposed to be
available to general users
--
PowerDNS Versatile DNS Services
Trilab The Technology People
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet