Oliver Fromme wrote:
Argelo, Jorn <[EMAIL PROTECTED]> wrote:
> [...]
> This site, of course (almost) completely in Russian, had a file to gain
> root access with a modified su utility. [...]
>
> This is a translation from babelfish:
>
> Plain replacement of "standard" su for FreeBSD. It makes it possible to
> become any user (inc. root) with the introduction of any password. For
> this necessary to neglect su with the option "-!". with the use of this
> option does not conduct ravine- files. Was tested on FreeBSD 5.4-STABLE.
To install such a modified su utility, you need to be root
anyway.
So this is not an exploit. It could be useful to install
hidden backdoors on cracked machines, though, as part of a
root kit or similar. You could achieve the same effect by
copying /bin/sh to some hidden place and make it setuid-
root (which also requires root priviledges in the first
place). The advantage of a modified su utility is the fact
that su(1) is setuid-root anyway, so it might be more
difficult to detect the backdoor.
However -- In both cases the modified suid binary should
be found and reported by the nightly security cronjob,
unless you also modify find(1) and/or other utilities.
This is a very good reason to actually _read_ the nightly
cron output instead of deleting it immediately or forwar-
ding it to /dev/null. ;-)
(Also, local IDS tools like tripwire or mtree might be
useful for such cases, too.)
Best regards
Oliver
Thank you for clearing this up Oliver. I just wanted to make sure it's a
harmless thing. Better safe then sorry ;)
Cheers,
Jorn.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
