[vox-tech] Easy tripwire alternative
vox-tech@lists.lugod.org
vox-tech@lists.lugod.org
Sat, 14 Dec 2002 15:54:14 -0500
On Sat, Dec 14, 2002 at 12:08:16PM -0800, Rod Roark wrote:
> My plan is to keep the md5sum, find and grep binaries on the
> floppy. They still require system .so libraries but those
> will be harder to hack. A bootable CD is a good idea, but
> I'd like to be able to check without taking the servers
> down.
Once you get the resulting system done... could you post the next
revision?
TTFN,
Mike
ps:
As far as hacking the .so libraries... I was going to put together a
simple demonstration of changing libc so that anytime md5sum -c was running
it would find no problems. Since it is very easy to 'filter' things
(call the real worker function if something isn't true but return
fake results if not true), it's only like 50 lines or less.
I tried a ltrace to figure out which call it made to the *cmp functions,
and found none... this is why I pulled down the md5sum source code
to see what it was doing, since it must logically must do a 'memcmp'
on the string it read to the string it computed. Anyway I noticed
several small hard coded buffers. Also md5sum.c does actually do a
memcmp call, but it turns out that gcc when compiling with -O2 will
replace the call to a builtin asm block... so the libc example would
either have to play with the fprintf error report or be even fancier.
About this time I decided to stop ...
pps:
I've heard of kernel module root kit type things... where something loads
into a running kernel which allows processes to do whatever they want,
and the activity is cloaked from normal user view... I read about this
along time ago so don't have any references, but in theory even a kernel
which has no support for module loading could be 'taken over' via a root
process, /dev/kmem, and loads of black magic.