Em 18-02-2014 09:00, Daniel Cegiełka escreveu:
> 2014-02-17 20:20 GMT+01:00 Theo de Raadt <dera...@cvs.openbsd.org>:
>
> Theo,
> I think went wrong with this topic.
>
> Firstly, I don't know of any vulnerability in order to gain privilege
> (e.g. uid 0) using LD_PRELOAD. I want it to be clearly defined. And
> yes, shown trick with LD_PRELOAD was cheap and didn't give any root
> rights etc. Despite this, "id" (or user) was tricked and thought that
> is the root (some even tried to read the /etc/master.passwd).
>
>> The above is no different from copying the "id" binary to a new place,
>> then hand-editing the binary to return 0 deep inside it, then running
>> this new copy. Whoohoo! Terrible risk! Modified code lied to me!
> Yes, but if you do that, the modified or hand-edited binary can be
> easily detected (hash sum) and analyzed. This means that it isn't the
> best way to hide a backdoor. Is that correct?
>
> So I have a question. If you already have root privileges and you want
> to run a backdoor and you want to make it difficult to detect (held
> only in memory - without modifying binary files), can you do so on
> OpenBSD by using LD_PRELOAD?
>
> Best regards,
> Daniel
>
The purpose of a rootkit is maintaining root access without
detection. In that sense, I believe you can use the LD_PRELOAD
technique, after gaining root access, on an OpenBSD system. I even
believe that, with some code changes of course, you could use the
rootkit mentioned by the OP.
Now, just keep in mind that privilege escalation on the base
OpenBSD system is not a simple task. I believe it would be easier to
trick the root user to give you his/her password, than to escalate your
privileges.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
