Re: Bug in chkrootkit ?

From: Juraj Ziegler (e_at_hq.sk)
Date: 07/31/03

  • Next message: Stuart: "RE: ping, traceroute, nampwin doesnt seem to work" 
    Date: Thu, 31 Jul 2003 01:40:35 +0200
To: security-basics@securityfocus.com

    > i'm not sure, but i believe that a lkm is clever enough (ie. very good
    > programmed), it can really 'wipe' a file/process/??? from the system, so
    > it's hard sometimes to diagnose your server

    It really can. I never did it (too lazy :), but the concept of doing it is
    rather simple. You create a kernel module that "interrupts" the relevant
    syscalls- open(), read(), etc. Interrupting here means it changes the syscall
    table to call my_open() in place of open(). What my_open() is it checks the
    parameters whether they match a "wiped" file. If yes, it returns a value that
    would indicate the file does not exits. If not, it just calls the original
    open() and returns its return value.

    The following code shows how to interrupt ptrace() calls. My less lazy friend
    wrote it after we came with the idea to use it to work-around the recent
    ptrace() bug in the Linux kernel.

    <CODE>
    #define MODULE
    #define __KERNEL__
    #include <linux/module.h>
    #include <linux/kernel.h>
    #include <linux/modversions.h>
    #include <linux/smp_lock.h>
    #include <linux/types.h>
    #include <linux/dirent.h>
    #include <linux/string.h>
    #include <linux/mm.h>
    #include <linux/sched.h>
    #include <sys/syscall.h> /* The list of system calls */

    MODULE_LICENSE("GPL");

    extern void *sys_call_table[]; /*sys_call_table is exported, so we can access
    i t */

    int (*orig_sys_ptrace)(long request, long pid, long addr, long data);

    #define is_dumpable(tsk) ((tsk)->task_dumpable && (tsk)->mm->dumpable)

    int
    hacked_sys_ptrace (long request, long pid, long addr, long data)
    {
                      return -EPERM;
    }

    int
    init_module (void) /*module setup */
    {
      orig_sys_ptrace = sys_call_table[SYS_ptrace];
      sys_call_table[SYS_ptrace] = hacked_sys_ptrace;
      return 0;
    }

    void
    cleanup_module (void) /*module shutdown */
    {
      sys_call_table[SYS_ptrace] = orig_sys_ptrace; /*set ptrace syscall to the
    orig al one */
    }

    </CODE>

    Focus on init_modue() and hacked_sys_ptrace().

    [e] 

    -- 
_______________________________________________________________________________
>e@hq.sk<                   /(bb|[^b]{2})/                 >http://hq.sk/~euro<
        "always know what you say, but do not always say what you know"

  • Next message: Stuart: "RE: ping, traceroute, nampwin doesnt seem to work"

    Relevant Pages

    • Re: newbie:Simple LED sequence?
      ... Pin 7 is used as the ADC input, so changing the voltage changes the ... and just delaying that number of ms interrupts provides the ability ... void init_comparator ... unsigned int get_voltage ...
      (sci.electronics.basics)
    • Re: newbie:Simple LED sequence?
      ... and just delaying that number of ms interrupts provides the ability ... > void init_gpio ... > unsigned int get_voltage ...
      (sci.electronics.basics)
    • Help in Java swings(internal Frame)
      ... public int getSize() ... public void valueChanged{ ... private JScrollPane scrollPane1; ... public class PeakContainer extends JInternalFrame ...
      (comp.lang.java.programmer)
    • [PATCH] get rid if __cpuinit and __cpuexit
      ... unsigned long action, void *hcpu) ... unsigned int cpu = hcpu; ... -static int __cpuinit ... __cpu_up(unsigned int cpu) ...
      (Linux-Kernel)
    • [PATCH,RFC 2.6.14 09/15] KGDB: SuperH-specific changes
      ... This adds basic support for KGDB on SuperH as well as adding some architecture ... -static int kgdb_uart_getchar ... -static void kgdb_uart_putchar ... * The command-line option can include a serial port specification ...
      (Linux-Kernel)