For some reason you may wish to create a backdoor to an ubuntu system “that you own!”… or you may want to know the methods someone may use to hack your system in order to stop them. Whatever your reasoning here is a short and simple description of how someone may create a local backdoor into your ubuntu system.
To start off I better explain what a local back door is. This is when a legitimate regular user of a system (e.g. a student on a uni network) attempts to escalate their privileges past what they should be allowed – usually to root level access.
Such local backdoor attempts are usually simple script files, or C programs that give the attacker root shell access. In order to achieve this feet the attacker attempts to set the SUID flag. Here is an example of the type of program to look out for:
int main()
{
setuid(0);
setgid(0);
execl(“/bin/sh”,”ps”,”-i”,NULL);
return 0;
}
Obviously a well configured system would stop such an attack. But unfortunately this is not always the case. Here’s what’s happening in the above code: setuid(0) command just sets the user ID to 0, which is “root”. Then setgid(0) changes the group to match. The program then just opens a shell, but disguises it as ‘ps’ in the process list.
This kind of program is usually a script hidden by a legitimate user of a system deep within the file system. Whenever they wish to have root access they simply run the script. This can be achieved remotely even.
Since many open-source system have very easy access to binaries – people can make modified versions of such binaries. For instance, the “eject -t” command usually opens and closes the CD-ROM drive. But it could easily be modified to actually shovel a root shell to the user who runs the modified binary. So even if an administrator was watching over your shoulder, it would look as if your running the ‘-t’ command to close the CD-ROM drive when the user could actually be giving themselves a root access shell.
Use responsibly.
