SFTP Trojan
by Joel R. Voss aka. Javantea
Feb 28, 2006

SFTP Trojan 0.2.1 Source [sig]


UDP Session Development

First off, allow me to calm your worries. This is _not_ a vulnerability in SFTP. Don't go shutting down your servers or chmod 000 sftp-server or chmod 000 sftp or anything crazy like that. This is a tool that can be used to emulate the interface of sftp without using sftp. Compiled it is 12k while sftp is 67k. It has no external libraries except libc and ld (default). If you think about it, 12k is not much space to work in. All I do is password routine, then allow them to input commands.

As long as your server or desktop is secure in all ways that count, you are not vulnerable to the SFTP Trojan. If a user can overwrite your /usr/bin/sftp program, you're in trouble. But that's nothing new. We have always known that those type of vulnerabilities existed due to bad management and need to be resolved. Many web based attack vectors allow overwriting of files (file uploaders software for example). This could also become a serious problem if apache has write access to /usr/bin/sftp. It should not. If it does, it is likely that it also has write access to /usr/bin/traceroute (which is suid root:bin btw) or /usr/bin/slocate (which is group suid root:slocate btw) or any of the 20 or so suid programs. If some bad admin were to make apache part of the bin group, then chmod g+w /usr/bin/traceroute, then use insecure file uploading, an attacker can put a virus into /usr/bin/traceroute. Then the attacker must get a user (like apache) to run traceroute. Way too easy, no?

find / -perm +4000 -user root -type f -print
find / -perm +2000 -user root -type f -print


SFTP Trojan requires a C compiler and termios. It has been successfully tested on x86/Linux and amd64/OpenBSD.




Comments: 7

Leave a reply »

  • opzionibinariestrategie.it

    Good day! This is kind of ooff topic but I need some guidancee from an established blog.

    Is it hard to set up your own blog? I'm not very techincal but
    I can figure things out pretty quick. I'm thinking about making my own but
    I'm not sure where to begin.Do you have any ideas or suggestions?

  • Javantea

    Dear opzionibinariestrategie.it,

    I don't know what it is like for a person with low technical experience to create a blog. Most of the work is writing. If you can write without a lot of spelling mistakes (use the browser's built-in spellchecker), there are frameworks you can use that make it so that a semi-technical person can run a blog. Posting an off-topic comment to my blog is almost as difficult as writing your own blog. Then you'd just need to improve your skill a tiny bit and then you too can have the privilege of moderating spam and unwanted comments.

    The choice of frameworks is a difficult one and is not unimportant. Try to find someone who knows what they are talking about recommending a platform.


  • Theresa

    Why users still make use of to read news papers when in this technological globe
    everything is available on net?

  • Jayson

    Usually I do not read article on blogs, but I would
    like to say that this write-up very pressured me to try and do it!
    Your writing style has been amazed me. Thank you, quite nice post.

  • Traci

    What's Going down i am new to this, I stumbled
    upon this I've found It absolutely helpful and it has aided me out loads.
    I hope to contribute & help different users like
    its aided me. Great job.

  • Hans

    Hi, its plesant paragraph concerning media print, we all know media is a impressive source of facts.

  • Marlys

    Great delivery. Outstanding arguments. Keep up the
    great spirit.

  • Leave a Reply
    Your gravatar
    Your Name