SFTP Trojan
by Joel R. Voss aka. Javantea
Feb 28, 2006

SFTP Trojan 0.2.1 Source [sig]


UDP Session Development

First off, allow me to calm your worries. This is _not_ a vulnerability in SFTP. Don't go shutting down your servers or chmod 000 sftp-server or chmod 000 sftp or anything crazy like that. This is a tool that can be used to emulate the interface of sftp without using sftp. Compiled it is 12k while sftp is 67k. It has no external libraries except libc and ld (default). If you think about it, 12k is not much space to work in. All I do is password routine, then allow them to input commands.

As long as your server or desktop is secure in all ways that count, you are not vulnerable to the SFTP Trojan. If a user can overwrite your /usr/bin/sftp program, you're in trouble. But that's nothing new. We have always known that those type of vulnerabilities existed due to bad management and need to be resolved. Many web based attack vectors allow overwriting of files (file uploaders software for example). This could also become a serious problem if apache has write access to /usr/bin/sftp. It should not. If it does, it is likely that it also has write access to /usr/bin/traceroute (which is suid root:bin btw) or /usr/bin/slocate (which is group suid root:slocate btw) or any of the 20 or so suid programs. If some bad admin were to make apache part of the bin group, then chmod g+w /usr/bin/traceroute, then use insecure file uploading, an attacker can put a virus into /usr/bin/traceroute. Then the attacker must get a user (like apache) to run traceroute. Way too easy, no?

find / -perm +4000 -user root -type f -print
find / -perm +2000 -user root -type f -print


SFTP Trojan requires a C compiler and termios. It has been successfully tested on x86/Linux and amd64/OpenBSD.




Comments: 3

Leave a reply »

  • Javantea

    Dear opzionibinariestrategie.it,

    I don't know what it is like for a person with low technical experience to create a blog. Most of the work is writing. If you can write without a lot of spelling mistakes (use the browser's built-in spellchecker), there are frameworks you can use that make it so that a semi-technical person can run a blog. Posting an off-topic comment to my blog is almost as difficult as writing your own blog. Then you'd just need to improve your skill a tiny bit and then you too can have the privilege of moderating spam and unwanted comments.

    The choice of frameworks is a difficult one and is not unimportant. Try to find someone who knows what they are talking about recommending a platform.


  • Jayson

    Usually I do not read article on blogs, but I would
    like to say that this write-up very pressured me to try and do it!
    Your writing style has been amazed me. Thank you, quite nice post.

  • Traci

    What's Going down i am new to this, I stumbled
    upon this I've found It absolutely helpful and it has aided me out loads.
    I hope to contribute & help different users like
    its aided me. Great job.

  • Leave a Reply
    Your gravatar
    Your Name