by Joel R. Voss aka. Javantea
Feb 28, 2006
First off, allow me to calm your worries. This is _not_ a vulnerability in SFTP. Don't go shutting down your servers or chmod 000 sftp-server or chmod 000 sftp or anything crazy like that. This is a tool that can be used to emulate the interface of sftp without using sftp. Compiled it is 12k while sftp is 67k. It has no external libraries except libc and ld (default). If you think about it, 12k is not much space to work in. All I do is password routine, then allow them to input commands.
As long as your server or desktop is secure in all ways that count, you are not vulnerable to the SFTP Trojan. If a user can overwrite your /usr/bin/sftp program, you're in trouble. But that's nothing new. We have always known that those type of vulnerabilities existed due to bad management and need to be resolved. Many web based attack vectors allow overwriting of files (file uploaders software for example). This could also become a serious problem if apache has write access to /usr/bin/sftp. It should not. If it does, it is likely that it also has write access to /usr/bin/traceroute (which is suid root:bin btw) or /usr/bin/slocate (which is group suid root:slocate btw) or any of the 20 or so suid programs. If some bad admin were to make apache part of the bin group, then chmod g+w /usr/bin/traceroute, then use insecure file uploading, an attacker can put a virus into /usr/bin/traceroute. Then the attacker must get a user (like apache) to run traceroute. Way too easy, no?
find / -perm +4000 -user root -type f -print find / -perm +2000 -user root -type f -print
SFTP Trojan requires a C compiler and termios. It has been successfully tested on x86/Linux and amd64/OpenBSD.