MORE SSH Hacking: heads-up

netmask netmask at enZotech.net
Thu Aug 12 17:07:32 UTC 2004


> I was not speaking about the network transfer between client and server. I 
> thought this was obvious. I was speaking about the possibility to locally, 
> on the SSHD system itself, to sniff password entries when running "su". 
> Alexander

Than that wouldn't be 'sniffing' would it?

Sniffing pertains to the network..  a 'su' doesn't use any network sockets.

You are talking about tracing their processes.. and a normal user can't do 
that to another user.

An already logged in user ALSO can't do it, because you can't trace SUID 
binaries..

try it 'strace su'.

You could trojan the su, by putting a 'su' in the path before the system su, 
and taking their password, recording it, and then passing it to the system 
'su'.. but you'd still need to be that user (or root of course, but if you're 
root.. why would you care?)

Lastly, you might be able to record it via injected modules using LD_PRELOAD.. 
But i've never researched this method in depth..   You can easily use 
LD_PRELOAD though to bypass restricted shells. (Nothing to do with this).





More information about the fedora-list mailing list