SFTP Trojan
by Joel R. Voss aka. Javantea
jvoss@altsci.com
jvoss@myuw.net
Feb 28, 2006
SFTP Trojan 0.2.1 Source
[sig]
First off, allow me to calm your worries. This is _not_ a vulnerability in SFTP. Don't go shutting down your servers or chmod 000 sftp-server or chmod 000 sftp or anything crazy like that. This is a tool that can be used to emulate the interface of sftp without using sftp. Compiled it is 12k while sftp is 67k. It has no external libraries except libc and ld (default). If you think about it, 12k is not much space to work in. All I do is password routine, then allow them to input commands.
As long as your server or desktop is secure in all ways that count, you are not vulnerable to the SFTP Trojan. If a user can overwrite your /usr/bin/sftp program, you're in trouble. But that's nothing new. We have always known that those type of vulnerabilities existed due to bad management and need to be resolved. Many web based attack vectors allow overwriting of files (file uploaders software for example). This could also become a serious problem if apache has write access to /usr/bin/sftp. It should not. If it does, it is likely that it also has write access to /usr/bin/traceroute (which is suid root:bin btw) or /usr/bin/slocate (which is group suid root:slocate btw) or any of the 20 or so suid programs. If some bad admin were to make apache part of the bin group, then chmod g+w /usr/bin/traceroute, then use insecure file uploading, an attacker can put a virus into /usr/bin/traceroute. Then the attacker must get a user (like apache) to run traceroute. Way too easy, no?
find / -perm +4000 -user root -type f -print find / -perm +2000 -user root -type f -print
SFTP Trojan requires a C compiler and termios. It has been successfully tested on x86/Linux and amd64/OpenBSD.
Permalink
-
Leave a Reply
Comments: 2
Leave a reply »
Good day! This is kind of ooff topic but I need some guidancee from an established blog.
Is it hard to set up your own blog? I'm not very techincal but
I can figure things out pretty quick. I'm thinking about making my own but
I'm not sure where to begin.Do you have any ideas or suggestions?
Thanks
Dear opzionibinariestrategie.it,
I don't know what it is like for a person with low technical experience to create a blog. Most of the work is writing. If you can write without a lot of spelling mistakes (use the browser's built-in spellchecker), there are frameworks you can use that make it so that a semi-technical person can run a blog. Posting an off-topic comment to my blog is almost as difficult as writing your own blog. Then you'd just need to improve your skill a tiny bit and then you too can have the privilege of moderating spam and unwanted comments.
The choice of frameworks is a difficult one and is not unimportant. Try to find someone who knows what they are talking about recommending a platform.
Regards,
Javantea