Selva Nair wrote:
Hi michael, raju:
On 5/26/05, michael <[EMAIL PROTECTED]> wrote:
On Thu, 2005-05-26 at 17:16 -0400, kamaraju kusumanchi wrote:
Selva Nair wrote:
Looking through evidence left behind (bash_history etc..) I have
figured out that
the privilege escalation was achived using an executable that the
attacker downloaded
from the net. I have verified that this binary is indeed capable of
giving root shell to any user
and it works on two test systems I tried -- one woody and one redhat 7.2.
oh please send me a binary that promises to compromise my system....
Sure you can have it! I didn't want to post graphic details nor the binary to
the list as I only have the binary and no clue.
You can download the thingy from http://www.geocities.com/eas2lv/temp/
-- download
knl.uuencoded.html to disk and uudecode it to get the binary named knl.
I have no idea what all it does other than opening a root shell, so be careful
not to try it on any critical systems. strace did not show any potentially
damaging system calls, but YMMV.
Please do let me know anything that you find.
Thanks,
Selva
Thanks for sending the file. I tried it on sid and it is not giving
any root access for an ordinary user. Guess it is a problem with woody
or a particular kernel version then.
$ uname -a
Linux deluxe 2.6.9-1-686 #1 Thu Nov 25 03:48:29 EST 2004 i686 GNU/Linux
$ ./knl
[-] Unable to determine kernel address: Operation not supported
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
