home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!gatech!paladin.american.edu!howland.reston.ans.net!sol.ctr.columbia.edu!news.unomaha.edu!crcnis1.unl.edu!moe.ksu.ksu.edu!matt.ksu.ksu.edu!news
- From: probreak@matt.ksu.ksu.edu (James Michael Chacon)
- Newsgroups: comp.security.misc
- Subject: Re: Unix Viruses. Are there any??
- Date: 22 Jan 1993 07:45:12 -0600
- Organization: Kansas State University
- Lines: 26
- Message-ID: <1jotp8INNiu@matt.ksu.ksu.edu>
- References: <1993Jan15.090426.12195@unix.brighton.ac.uk> <17988@umd5.umd.edu> <senetza.727648754@honte> <1jootkINNhrv@matt.ksu.ksu.edu>
- NNTP-Posting-Host: matt.ksu.ksu.edu
-
- senetza@sigma.uleth.ca (Len Senetza) writes:
-
- >so, get the source for something like ls (it's on ftp.uu.net). then
- >modify it so that it attaches a binary file which does x (x can be
- >innocuous [print a smilie on the console] or destructive [halt]) to a
- >system command (mkdir) which is installed suid. then, go talk to the
- >sysadmin and tell them that there is something wrong with your
- >directory. when they cd to it and do an 'ls' (your version), bango --
- >virus. this 'x' thing that the binary file does can also include
- >copying itself to other programs.
-
- >so, if root executes your ls, then x is attached to some program in the
- >system. have your x only do it to programs which are suid. then it's
- >all over the place; memory protection and file access controls fail
- >here.
-
- >this assumes that root has . in its path, and how many root accounts
- >out there do?
-
- No, this assumes root has . at the FRONT of his/her path. This of course is
- extremely stupid and I believe covered in the FAQ.
-
- A scenerio like this assumes that the sysadmin is a pretty trusting person
- and probably already has large security holes in the system.
-
- James
-
