AltSci Concepts Computer Journal

2006-10-21

back

SFTP Trojan
by Joel R. Voss aka. Javantea
jvoss@altsci.com
jvoss@myuw.net
Feb 28, 2006

SFTP Trojan 0.2.1 Source [sig]

DESCRIPTION

UDP Session Development

First off, allow me to calm your worries. This is _not_ a vulnerability in SFTP. Don't go shutting down your servers or chmod 000 sftp-server or chmod 000 sftp or anything crazy like that. This is a tool that can be used to emulate the interface of sftp without using sftp. Compiled it is 12k while sftp is 67k. It has no external libraries except libc and ld (default). If you think about it, 12k is not much space to work in. All I do is password routine, then allow them to input commands.

As long as your server or desktop is secure in all ways that count, you are not vulnerable to the SFTP Trojan. If a user can overwrite your /usr/bin/sftp program, you're in trouble. But that's nothing new. We have always known that those type of vulnerabilities existed due to bad management and need to be resolved. Many web based attack vectors allow overwriting of files (file uploaders software for example). This could also become a serious problem if apache has write access to /usr/bin/sftp. It should not. If it does, it is likely that it also has write access to /usr/bin/traceroute (which is suid root:bin btw) or /usr/bin/slocate (which is group suid root:slocate btw) or any of the 20 or so suid programs. If some bad admin were to make apache part of the bin group, then chmod g+w /usr/bin/traceroute, then use insecure file uploading, an attacker can put a virus into /usr/bin/traceroute. Then the attacker must get a user (like apache) to run traceroute. Way too easy, no?

find / -perm +4000 -user root -type f -print
find / -perm +2000 -user root -type f -print

REQUIREMENTS

SFTP Trojan requires a C compiler and termios. It has been successfully tested on x86/Linux and amd64/OpenBSD.

METHODS

USAGE

Mod level: -1 0 1 2 3 4 5

Comments:

Modded: 0

LNMHFcpFKMioAdsGpGh

by enpOvbChfXGESiN on 06/26/11

Check that off the list of tihngs I was confused about.

Modded: 0

BnjvckcAVxmyCa

by wihEQWjZe on 06/26/11

Dude, right on there brthoer.

Modded: 0

EqCDzjDsqQe

by tcjMepBdjaDC on 06/26/11

Super jzaezd about getting that know-how.

Modded: 0

QQnXlLuIafDIxy

by cCrzvEizi on 06/26/11

I'm not easily irmepssed. . . but that's impressing me! :)

Modded: 0

bonRNzQndLkIcfHBbF

by kflvLEBfhNqI on 06/26/11

Fralnky I think that's absolutely good stuff.

Modded: 0

HkyHNGfrdPRARRz

by FxMxrlzwRkR on 06/26/11

Hahahhaa. Im not too bright today. Great post!

Modded: 0

HLugFZniyiOaJIBoplq

by AtYpesswFfH on 06/27/11

Thank you so much for this arctile, it saved me time!

Modded: 0

iFWrQiwdBYRrqIaf

by silAAstlb on 06/27/11

Haha, shouldn't you be charging for that kind of knowdlege?!

Modded: 0

vuazdrVzVgG

by zulzJETiFTdX on 06/27/11

I'm impressed! You've managed the almost imposslbie.

Modded: 0

SQOjLcrnJiQDkbNqAYL

by EgUqQAPEEjXVmqDKuBH on 06/27/11

Wham bam thank you, maam, my questions are anwsreed!

Modded: 0

dqxzWQFsobmq

by aAGiueHXadhSOTTcFW on 06/27/11

BION I'm impersesd! Cool post!

Modded: 0

ZygFIUXfZPqkV

by KrHwwceAFeiluOoUegL on 12/18/12

Two main things: You MUST have a sttiac IP. Second, you have to ask Bluehost to open up a port for you to use. After that you should have no issues other than the process getting killed by the server somewhere around the two hour mark after you started it. The solution to that is to have a shell script in the background checking if the process if alive or dead and to start it up again if it isn't running. Hope that helps.

Modded: 0

KgWLndhkWlm

by PLHxBIxa on 12/18/12

Schreibe hier Deinen Kommentar Du kannst diese HTML tags vrdeenewn: <b> <i> var RecaptchaOptions = { theme : 'red', lang : 'en' , tabindex : 5 }; #submit {display:none;}

Modded: 0

FIoeAAMGsfCBnaUN

by xPYsRcBwJKMVFbKG on 12/31/12

Two main things: You MUST have a sitatc IP. Second, you have to ask Bluehost to open up a port for you to use. After that you should have no issues other than the process getting killed by the server somewhere around the two hour mark after you started it. The solution to that is to have a shell script in the background checking if the process if alive or dead and to start it up again if it isn't running. Hope that helps.