2006-10-21
AltSci Concepts

Computer Journal

Computer Journal
back
SFTP Trojan
by Joel R. Voss aka. Javantea
jvoss@altsci.com
jvoss@myuw.net
Feb 28, 2006

SFTP Trojan 0.2.1 Source [sig]

DESCRIPTION

UDP Session Development

First off, allow me to calm your worries. This is _not_ a vulnerability in SFTP. Don't go shutting down your servers or chmod 000 sftp-server or chmod 000 sftp or anything crazy like that. This is a tool that can be used to emulate the interface of sftp without using sftp. Compiled it is 12k while sftp is 67k. It has no external libraries except libc and ld (default). If you think about it, 12k is not much space to work in. All I do is password routine, then allow them to input commands.

As long as your server or desktop is secure in all ways that count, you are not vulnerable to the SFTP Trojan. If a user can overwrite your /usr/bin/sftp program, you're in trouble. But that's nothing new. We have always known that those type of vulnerabilities existed due to bad management and need to be resolved. Many web based attack vectors allow overwriting of files (file uploaders software for example). This could also become a serious problem if apache has write access to /usr/bin/sftp. It should not. If it does, it is likely that it also has write access to /usr/bin/traceroute (which is suid root:bin btw) or /usr/bin/slocate (which is group suid root:slocate btw) or any of the 20 or so suid programs. If some bad admin were to make apache part of the bin group, then chmod g+w /usr/bin/traceroute, then use insecure file uploading, an attacker can put a virus into /usr/bin/traceroute. Then the attacker must get a user (like apache) to run traceroute. Way too easy, no?

find / -perm +4000 -user root -type f -print
find / -perm +2000 -user root -type f -print

REQUIREMENTS

SFTP Trojan requires a C compiler and termios. It has been successfully tested on x86/Linux and amd64/OpenBSD.

METHODS



USAGE

Mod level: -1 0 1 2 3 4 5

Comments:

Post a comment
Your Name: Login

Subject:

Comment:

RSS Feed
Home | Login | Others