[1764] in bugtraq
Re: Ok.. who is backdooring /usr/bin/login on SunOS?
daemon@ATHENA.MIT.EDU (Casper Dik)
Wed May 10 12:22:13 1995
To: "Alan B. Clegg" <abc@arg.com>
Cc: bugtraq@fc.net
In-Reply-To: Your message of "Wed, 10 May 1995 09:02:10 EDT."
<Pine.LNX.3.91.950510084832.7713A-100000@spam.arg.com>
Date: Wed, 10 May 1995 16:29:29 +0200
From: Casper Dik <casper@Holland.Sun.COM>
>I have now come upon the 5th example of a 1s compliment passwords being
>put into /usr/bin/login on different systems... Each one has a different
>password, and not all act the same, some allowing you to get in with
>
> any_userid+given_passwd==root_shell
> and the other
> real_userid+given_passwd==real_user_shell [including root]
>
>One of the systems also has the 1s compliment string '/tmp/.tty'.. I have
>yet to see that file used.. is anyone familiar with these attacks? I've
>looked [briefly, I admit] through the archives of bugtraq and can't find
>any notes on this one...
The attack looks familiar, though I've only seen it with one
of the passwords as 1-complement, the other as plain text.
I've only seen it as change to a dynamically linked libc on SunOS 4
machines (replacing crypt w/ its own routines).
>All of the systems so-compromised have been [at some point] running NCSA
>HTTP servers. That is the only similar attack route that I have been
>able to pin down. Is there a toolkit out there that hacks login via the
>http holes?
Usually such elaborate hacks do not exist, it's more of a modular
three step approach:
- get on a machine (perhaps thru HTTP, but very common
is password snooping)
- get root (any of the hoels you mention will do)
- modify libc.so/login.
Casper
