Any thoughts on the future of LKM rootkits in the 2.6 kernel branch ? In
the last few years I've become quite interested in them (from a defensive
point of view), but with the 2.6 kernel no longer exporting the syscall
table, intercepting system calls would appear to be a non-starter now. In
a perverse sort of way, i'm actually rather dissapointed: all that
learning gone to waste.
Cheers,
Pete
On Thu, Mar 11, 2004 at 11:26:23AM -0800, pg smith wrote:
> Any thoughts on the future of LKM rootkits in the 2.6 kernel branch ? In
> the last few years I've become quite interested in them (from a defensive
> point of view), but with the 2.6 kernel no longer exporting the syscall
> table, intercepting system calls would appear to be a non-starter now.
Don't bet on it. They'll just start doing what binary-only driver vendors
have been doing for months.. If the table isn't exported, they find a symbol
that is exported, and grovel around in memory near there until they find
something that looks like it, and patch accordingly.
Dave
Am Do, den 11.03.2004 schrieb Dave Jones um 19:48:
> Don't bet on it. They'll just start doing what binary-only driver vendors
> have been doing for months.. If the table isn't exported, they find a symbol
> that is exported, and grovel around in memory near there until they find
> something that looks like it, and patch accordingly.
Ugh... this sounds ugly. This should be forbidden. I mean, what are
things like EXPORT_SYMBOL_GPL for if drivers are allowed to patch
whatever they want?
On Thu, 11 Mar 2004 20:16:28 +0100, Christophe Saout said:
> Ugh... this sounds ugly. This should be forbidden. I mean, what are
> things like EXPORT_SYMBOL_GPL for if drivers are allowed to patch
> whatever they want?
If the binary blob knows enough about the innards to be able to do binary
patching, it's a derived work and should be GPL.
Even the NVidia driver isn't *that* evil... :)
Christophe Saout <[email protected]> writes:
> Am Do, den 11.03.2004 schrieb Dave Jones um 19:48:
>
>> Don't bet on it. They'll just start doing what binary-only driver vendors
>> have been doing for months.. If the table isn't exported, they find a symbol
>> that is exported, and grovel around in memory near there until they find
>> something that looks like it, and patch accordingly.
>
> Ugh... this sounds ugly. This should be forbidden. I mean, what are
> things like EXPORT_SYMBOL_GPL for if drivers are allowed to patch
> whatever they want?
Who is to stop them? When running in kernel mode you are god.
--
M?ns Rullg?rd
[email protected]
On Thu, 11 Mar 2004 11:26:23 PST, pg smith <[email protected]> said:
> Any thoughts on the future of LKM rootkits in the 2.6 kernel branch ? In
Speak of the devil...
Subject: Announcing full functional adore-ng rootkit for 2.6 Kernel
From: stealth <[email protected]>
Date: Thu, 11 Mar 2004 10:27:00 +0000
To: [email protected]
Hi,
At http://stealth.7350.org/rootkits/adore-ng-0.41.tgz you find
the complete port of adore-ng for the Linux kernel 2.6. All
of the stuff you know from earlier kernel 2.4 versions such
as socket-, process- and file-hiding, syslog- and [uw]tmp filtering
has been ported. Additionally since version 0.32 a buffer overflow has
been fixed (doh!) which could lead to crashes when a lot of network
connections exist.
regards,
stealth-
On Thu, Mar 11, 2004 at 08:31:49PM +0100, M?ns Rullg?rd wrote:
> Christophe Saout <[email protected]> writes:
> > Ugh... this sounds ugly. This should be forbidden. I mean, what are
> > things like EXPORT_SYMBOL_GPL for if drivers are allowed to patch
> > whatever they want?
>
> Who is to stop them? When running in kernel mode you are god.
Uhm, Next Generation Secure Computing Base? Running in ring -1. ;)
Sorry, I couldn't resist ;)
--
Tomasz Torcz Only gods can safely risk perfection,
[email protected] it's a dangerous thing for a man. -- Alia
>
> Subject: Announcing full functional adore-ng rootkit for 2.6 Kernel
> From: stealth <[email protected]>
> Date: Thu, 11 Mar 2004 10:27:00 +0000
> To: [email protected]
>
> Hi,
>
> At http://stealth.7350.org/rootkits/adore-ng-0.41.tgz you find
> the complete port of adore-ng for the Linux kernel 2.6. All
> of the stuff you know from earlier kernel 2.4 versions such
>From the FEATURES file :
o does not utilize sys_call_table but VFS layer
Seems to be that easy... Should we hide VFS layer now :-)
Regards,
Paul
pg smith <[email protected]> said:
> Any thoughts on the future of LKM rootkits in the 2.6 kernel branch ? In
> the last few years I've become quite interested in them (from a defensive
> point of view), but with the 2.6 kernel no longer exporting the syscall
> table, intercepting system calls would appear to be a non-starter now. In
> a perverse sort of way, i'm actually rather dissapointed: all that
> learning gone to waste.
If you get to load a module, you are in-kernel. Once there, you can either
use what you know are the offsets for $distro-$version-$arch kernel and be
in business as usual, or fool around on your own. Harder than before, yes.
Impossible, by no means.
--
Dr. Horst H. von Brand User #22616 counter.li.org
Departamento de Informatica Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria +56 32 654239
Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513
Christophe Saout <[email protected]> said:
> Am Do, den 11.03.2004 schrieb Dave Jones um 19:48:
> > Don't bet on it. They'll just start doing what binary-only driver vendors
> > have been doing for months.. If the table isn't exported, they find a
> > symbol that is exported, and grovel around in memory near there until
> > they find something that looks like it, and patch accordingly.
> Ugh... this sounds ugly. This should be forbidden. I mean, what are
> things like EXPORT_SYMBOL_GPL for if drivers are allowed to patch
> whatever they want?
It _is_ forbidden. This isn't any kind of accident we are talking about,
this is out and out fraud.
--
Dr. Horst H. von Brand User #22616 counter.li.org
Departamento de Informatica Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria +56 32 654239
Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513
Am Do, den 11.03.2004 schrieb Horst von Brand um 21:33:
> > > Don't bet on it. They'll just start doing what binary-only driver vendors
> > > have been doing for months.. If the table isn't exported, they find a
> > > symbol that is exported, and grovel around in memory near there until
> > > they find something that looks like it, and patch accordingly.
>
> > Ugh... this sounds ugly. This should be forbidden. I mean, what are
> > things like EXPORT_SYMBOL_GPL for if drivers are allowed to patch
> > whatever they want?
>
> It _is_ forbidden. This isn't any kind of accident we are talking about,
> this is out and out fraud.
I'm talking about binary modules, not rootkits. Vendors aren't doing
forbidden things, are they?
[email protected] wrote:
> On Thu, 11 Mar 2004 20:16:28 +0100, Christophe Saout said:
>
>
>>Ugh... this sounds ugly. This should be forbidden. I mean, what are
>>things like EXPORT_SYMBOL_GPL for if drivers are allowed to patch
>>whatever they want?
>
>
> If the binary blob knows enough about the innards to be able to do binary
> patching, it's a derived work and should be GPL.
Maybe!
Unless the offset of an unexported symbol relative to an exported one is
simply a "fact" which therefore can't be copyrighted.
This sort of thing would probably be unethical, but it might be legal.
Christophe Saout <[email protected]> said:
> On Thu, 11 Mar 2004 20:16:28 +0100, Christophe Saout said:
>
> > Ugh... this sounds ugly. This should be forbidden. I mean, what are
> > things like EXPORT_SYMBOL_GPL for if drivers are allowed to patch
> > whatever they want?
>
> If the binary blob knows enough about the innards to be able to do binary
> patching, it's a derived work and should be GPL.
You are more than wellcome to use it as you see fit, and distribute it as
widely as you can ;-)
> Even the NVidia driver isn't *that* evil... :)
:-)
--
Dr. Horst H. von Brand User #22616 counter.li.org
Departamento de Informatica Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria +56 32 654239
Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513
On Thu, Mar 11, 2004 at 09:35:32PM +0100, Christophe Saout wrote:
> > It _is_ forbidden. This isn't any kind of accident we are talking about,
> > this is out and out fraud.
>
> I'm talking about binary modules, not rootkits. Vendors aren't doing
> forbidden things, are they?
Yes.
Dave
On Thu, 2004-03-11 at 16:50, Dave Jones wrote:
> On Thu, Mar 11, 2004 at 09:35:32PM +0100, Christophe Saout wrote:
>
> > > It _is_ forbidden. This isn't any kind of accident we are talking about,
> > > this is out and out fraud.
> >
> > I'm talking about binary modules, not rootkits. Vendors aren't doing
> > forbidden things, are they?
>
> Yes.
>
> Dave
What Vendors and modules?
On Thu, Mar 11, 2004 at 05:51:33PM -0700, Dax Kelson wrote:
> On Thu, 2004-03-11 at 16:50, Dave Jones wrote:
> > On Thu, Mar 11, 2004 at 09:35:32PM +0100, Christophe Saout wrote:
> >
> > > > It _is_ forbidden. This isn't any kind of accident we are talking about,
> > > > this is out and out fraud.
> > >
> > > I'm talking about binary modules, not rootkits. Vendors aren't doing
> > > forbidden things, are they?
> > Yes.
> What Vendors and modules?
Most recent one I saw was some 'antivirus' filescanning module.
The name escapes me. It was mentioned on l-k at the time.
It wasn't the first by any means however. This trick has been used
since vendors stopped exporting sys_call_table.
Dave
On Thu, 11 Mar 2004, Dave Jones wrote:
> > Any thoughts on the future of LKM rootkits in the 2.6 kernel branch ? In
> > the last few years I've become quite interested in them (from a defensive
> > point of view), but with the 2.6 kernel no longer exporting the syscall
> > table, intercepting system calls would appear to be a non-starter now.
> Don't bet on it. They'll just start doing what binary-only driver vendors
> have been doing for months.. If the table isn't exported, they find a symbol
> that is exported, and grovel around in memory near there until they find
> something that looks like it, and patch accordingly.
Why bother .. just find any symbol (function name) which is exported to
modules and also being frequently called somehow indirectly from userland
(VFS layer functions, vm functions, ...) and use this function as an
open-backdoor spell.
It is easy to patch existing rootkits this way.
--
JiKos.