Re: Non registering shell

From: Rory Savage (rsavage@nandomedia.com)
Date: 02/28/03

  • Next message: sk: "Re: freeconsole()" 
    From: Rory Savage <rsavage@nandomedia.com>
To: Brian Hatch <vuln-dev@ifokr.org>
Date: 28 Feb 2003 10:50:16 -0500

    Brian,

       Now that you mention it, I think it was a backdoor (a special
    rootshell). Can any provide URLs to example backdoors?

    -Rory

    On Thu, 2003-02-27 at 14:45, Brian Hatch wrote:
    > > I have a question I hope somebody will be able to answer. I am looking
    > > for code to build a UNIX shell which is immune to system process listing
    > > and or logged by the syslog facility, is this possible? I used to work
    > > for a government contractor , and met a UNIX systems programmer who
    > > wrote a shell which made his work invisible. Can anyone share info on
    > > this?
    >
    > You mean you want to be able to run commands from a 'magic' shell
    > and have those commands invisible from ps, top, lsof, etc?
    >
    > No, this is not possible. The kernel keeps track of all running
    > processes. (If it didn't, it wouldn't be able to give them access
    > to system calls, CPU, etc.) The kernel is where process reporting
    > programs such as ps, top, lsof, and friends get their information
    > from. You cannot have a shell that 'outfoxes' the kernel.
    >
    > You can modify the kernel to not report processes if you
    >
    > * have a loadable kernel module that intercepts process
    > listing accesses and hides certain processes from the list
    > * modfify the process reporting structure, such as the
    > /proc filesystem, to hide these processes
    >
    > Now someone could determine that a process did exist by using 'kill'
    > and noting when a non-existant process id returned a 'permission denied'
    > instead of 'no such process' depending on how the kernel was modified.
    >
    > One other method could be that you write a shell that modifies the
    > argv[0] of each child. So instead of calling
    >
    > "/bin/cat" "cat" "arg1" "arg2" "arg3" ...
    >
    > you call
    >
    > "/bin/cat" "sh" "arg1" "arg2" "arg3" ...
    >
    > to make cat think it's name is 'sh', and the process list will show
    > 'sh' as well.[1] You'll still have an entry in ps (and the arguments
    > may indicate something is wierd if you saw "sh / -name foo -exec
    > something {} ;" in ps output, since that's clearly 'find' syntax)
    > but it won't be immediately obvious if a user just does a ps for
    > process name, not args.
    >
    > However this will cause problems for any program that actually checks
    > argv[0] - for example gzip, gunzip, and zcat are usually the same file
    > (hardlinks) and it uses argv[0] to determine how it should behave.
    >
    > The other solution would be to backdoor all your process reporting tools
    > and hope no one brings along a pristine copy.
    >
    > So your options are:
    >
    > * modify kernel very effective
    >
    > * modify ps/top/etc somewhat effective
    >
    > * new shell that fudges pretty lame and will break
    > argv[0] of children some functionality
    >
    >
    > Now if you were talking about more mundane things like not leaving
    > a .history file around, that's trivial. Reset the appropriate
    > env variables (HISTFILE and/or HISTSAVE for example) and they won't
    > log. To be 'immune' from syslog, use programs that don't send syslogs,
    > or you could LD_PRELOAD a library that defined openlog, syslog, and
    > closelog to null functions.
    >
    >
    >
    > [1] Depending on your OS, you may still be able to learn the real
    > process name. In Linux, for example, /proc/PID/exe will be
    > a symlink to the real /bin/cat executable. /proc/PID/stat*
    > will point out other helpful info too.
    >
    >
    > --
    > Brian Hatch Why do "fat chance"
    > Systems and and "slim chance"
    > Security Engineer mean the same thing?
    > www.hackinglinuxexposed.com
    >
    > Every message PGP signed

    Relevant Pages

    • Re: Non registering shell
      ... > wrote a shell which made his work invisible. ... The kernel keeps track of all running ... To be 'immune' from syslog, use programs that don't send syslogs, ...
      (Vuln-Dev)
    • Re: Compiling an optimized kernel for VirtualBox or real machines
      ... I shall try testing your kernel soon. ... I am having problems with the build scripts though, because my shell is ... but autotools generates build scripts that do not work on ...
      (comp.os.linux.misc)
    • Re: Announce loop-AES-v3.0b file/swap crypto package
      ... >> Nothing about kernel crypto is backdoored. ... >> should show me source code. ... Clearly there is no intentional backdoor. ... confusing the kernel with util-linux is a strange trick. ...
      (Linux-Kernel)
    • Re: What is the name of the 4DOS language?
      ... Some OS terms such as kernel and shell derive from other fields. ... Unix people liked to use analogy - kernel and shell of a nut, ... been written in 1966 or 67 and would compile or assemble just fine. ...
      (comp.os.msdos.4dos)
    • shell outputs anything typed when the kernel thinks@100%
      ... This is a long time annoying misconception i'm reporting here: ... When a command is run from a shell and drives the kernel to use 100% of cpu ... When logging in a shell, one will type his username, 'return' and then his ...
      (Linux-Kernel)