On Wed, 28 Mar 2007, Tim Rees wrote: > All other system binaries (e.g. screen etc.) are now inaccessible, but > if a user (or root) runs sudo (or whatever the user names it) in the > meantime before someone realises something is wrong, the malicious > binary will be executed.
You do not have to rely on some other user running your trojan horse. You can replace a program run automatically (e.g. by cron). Or something even better: replace system dynamic libraries (e.g. /lib/tls) and run a dynamically linked setuid program of your own choice. Instant ownage! (Moreover, the latter approach is quite easy to exploit without making the system unusable.) This is a very serious vulnerability. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
