OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Seth Arnold (sarnold_at_wirex.com)
Date: Fri Jan 17 2003 - 14:46:19 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Wed, Jan 15, 2003 at 11:47:37PM +0100, Hugo van der Kooij wrote:
    > > I'm trying to build a CD that has all the binaries and libraries
    > > needed to run chkrootkit on it (so I can be more confident that

    > This actually sound like you run dynamic libraries from the suspect
    > system. Which means the CD is useless.
    >
    > ANYTHING on the CD should be able to run on it's own. So you need static
    > tools for just about everything or make sure dynamic loading occurs from
    > the CD only.
    >
    > I suggest you make the CD bootable and only mount partitions from a
    > suspected system into this Read-Only system.

    Hugo, part of the problem is that chkrootkit is designed to be run from
    a compromised system and try to discover inconsistencies in the rootkits
    that have been installed on said compromised system. It doesn't work
    nearly so well to boot to known good media to discover this. :)

    So, I had written a response very similar to yours before deciding that
    in fact, making the CD bootable probably isn't what is desired out of
    this tool. :)

    What _is_ happening is that the loader from the 7.3 system is being used
    to try to load binaries from the 8.0 system, with the resulting
    incompatibilities. Providing the 8.0 loader (/lib/ld-* stuff) on the CD
    will allow the native 8.0 loader to be used[1] -- with the caveat that
    executing the loader through any running shell on the system may be
    using rootkitted execve() syscalls, currently-linked-in glibc (which may
    be rootkitted), etc.

    You're right in that making it a bootable CD is the only way to trust
    its results. The downside is that the tool relies on running in an
    unsafe context and hoping to catch the sleight of hand in the act,
    red-handed, as it were.

    Cheers

    [1]: the linker can be executed directly:
    $ /lib/ld-linux.so.2 /bin/echo "hello world"
    hello world
    $ 

    -- 
United States of America, n: The finest plutocracy on the planet!

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

    iEYEARECAAYFAj4oa5oACgkQ+9nuM9mwoJl2awCfYypcxaPcoa+QH3J3k0+2Sh7P bgoAniECGUVlz/XiBRg6CvdJMgHLLeRw =4WAn -----END PGP SIGNATURE-----