|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Brian Coyle (brian
linuxwidows.com)Date: Tue Jan 22 2002 - 19:59:07 CST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tuesday 22 January 2002 13:37, Valdis.Kletnieksvt.edu wrote:
[snip]
>
> I'm wondering if you managed to get a bad copy of the disk image, and
> there's a busticated inode belonging to some file in lib/.
Nope, the md5sums checked out OK. I also downloaded a second copy to
verify... Of course, if the HoneyNet folks gathered a bad image.... ;)
>
> To test:
>
> 1) cd lib/
> 2) /bin/ls (you say this works)
> 3) (bash/ksh) for i in `/bin/ls`; do echo $i; /bin/ls -l $i; done
Every file in /home/ftp/lib gives a segfault. But, from /home/ftp/
I can `ls -l lib` all I want...
> I'm wondering if the $CRACKED_BOX had a kernel module loaded that used
There was nothing in the HoneyNet Forensic Challenge analysis to
substantiate this.
> a previously reserved bit in the inode as a "hide me please" flag, and
> a modified lsattr/chattr command to set the bit, and 'ls' and 'stat'
This is interesting:
$CRACKED_BOX/home/ftp/lib # lsattr *
- -------- ld-2.1.3.so
- -------- ld-linux.so.2
- -------- libc-2.1.3.so
- -------- libc.so.6
- -------- libnsl-2.1.3.so
- -------- libnsl.so.1
- -------- libnss_files-2.1.3.so
- -------- libnss_files.so.2
Yet, debugfs shows proper permissions:
debugfs: ls -la
123137 40755 0 0 4096 04-Nov-2000 18:56 .
30785 40755 0 0 4096 04-Nov-2000 18:56 ..
123138 100755 0 0 77216 04-Feb-2000 09:07 ld-2.1.3.so
123139 120777 0 0 11 04-Nov-2000 18:56 ld-linux.so.2
123140 100755 0 0 985256 04-Feb-2000 09:07 libc-2.1.3.so
123141 120777 0 0 13 04-Nov-2000 18:56 libc.so.6
123142 100755 0 0 75888 04-Feb-2000 09:07 libnsl-2.1.3.so
123143 120777 0 0 15 04-Nov-2000 18:56 libnsl.so.1
123144 100755 0 0 33036 04-Feb-2000 09:07 libnss_files-2.1.3.so
123145 120777 0 0 21 04-Nov-2000 18:56 libnss_files.so.2
And while stat fails just before spewing the mode info,
$CRACKED_BOX/home/ftp/lib # stat ld-2.1.3.so
File: "ld-2.1.3.so"
Size: 77216 Allocated Blocks: 160 Filetype: Regular File
Segmentation fault
it works from the parent:
$CRACKED_BOX/home/ftp/lib # cd ..
$CRACKED_BOX/home/ftp/ # stat lib/ld-2.1.3.so
File: "lib/ld-2.1.3.so"
Size: 77216 Allocated Blocks: 160 Filetype: Regular File
Mode: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Device: 7,3 Inode: 123138 Links: 1
Access: Fri Feb 4 09:07:00 2000
Modify: Fri Feb 4 09:07:00 2000
Change: Sat Nov 4 18:56:55 2000
Another clue- df -[m|k] will also segfault.
Does anyone still have their HFC images lying around to try and duplicate
this?
This has got to be related to the chroot jail, but I'm still baffled.
It might be time to look at the source for ls, stat and lsattr...
- --
"Open source software - with no walls and fences, who needs Windows and
Gates?"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8Thj4ER3MuHUncBsRAntWAJ0XggjehwuRpgYdPUpHz+sBVXD0fACeIqyO
Qcm4BO8UBpfcmDVfHSpPpqI=
=1iJr
-----END PGP SIGNATURE-----
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]