Re: UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd)

From: Dave Aitel (daveat_private)
Date: Fri Jul 05 2002 - 09:07:16 PDT

Next message: Ryan Russell: "Re: Sybase contact"

Previous message: 2c79cbe14ac7d0b8472d3f129fa1df: "remote winamp 2.x exploit (all current versions)"
In reply to: noir sin: "UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd)"
Next in thread: noir sin: "Re: UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd)"
Reply: noir sin: "Re: UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2002-07-04 at 09:06, noir sin wrote:
> 
> Resend:
> attachment moved to http://gsu.linux.org.tr/~noir/b.tar.gz
> since no more than 100K is allowed
> 
> Hi,
> 
> Recently, Dave Aitel posted a link to a loadable kernel module for the
> Solaris operating system to check its kernel integrity against backdoors.
> I downloaded and do some quick analysis on the "product". Simply it does
> md5 checksuming on the sysent32 table where pointers to syscall handling
> kernel functions reside. These pointers are well known to be manipulated by
> backdoor lkm's to change the execution order and pre-execute some hacker
> code that will hide things or feed false information.

<lots of really interesting and cool stuff cut for brevity>

Well, BG 1.0 Free Demo (http://www.immunitysec.com/bodyguard.html) does
do the dereference. E.G. It checks the system call code itself, not the
sysent32 table. So theoretically adding exece to BodyGuard's checksum
table _would_ catch this method, at least for the moment. :> (I'll try
this later today to make sure.) Did you check to see if you could do the
same trick to stat64?

The demo version is somewhat limited in what it checks, but DOES work on
many "popular" kernel level rootkits. A lot of the goal was to give
people at least SOME recourse. I recognize the it becomes an escalating
game of SPY vs SPY, but BG does at least give non-hackers a chip to
spend in the game - something they didn't have until Monday :>. 

There's definitely a window of time where BG will detect a rootkit. This
is why BG, to be successful, will have

1. Limited distribution
2. slightly different executables for each customer
3. be sold only on a subscription basis - new versions due out
periodically throughout the year.

Dave Aitel
Immunity, Inc
www.immunitysec.com









-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDz2MywRBADZ25zAnkqMlSFnSui9JXWse3qYySlo1lTjrJmyIlN8lJNxw/5n
8mrP/4z8HAzbMVfoAnYmHkBfZg9YuWx5GLP3HZwECXY0o82W6GgQph2Z4ylDEAC+
+3IrWweSReWqTA+ME0aL3UeMTnphYGUFF4RWK64cDgs6B3s3IHE28Bq4ewCg8YsO
9HJOR2GeH/bDpZIzcXE2uP0D/ilH5GeSBxNdlRQLP2rrcC4skXwmsn9dNH6uHtYx
+EDLNumhO1evB6wBs4rKnwCas7PphAHriNAmtLOvVXshLeue7xHzRX3/0gs5QKOw
tQcM80RoZFX0Vzq+LqtRrBFQ9xZI1JZmzA/T+9rZjTfXTWCQt5J2g9K/rVYhvb84
iwAdBADWpJRwIxMaL2+Be+NodOz4iegadU8e45iLjqB1YVDva2zOthfuaeeHJGSZ
g7xL2egavp0fN0ekQn3DRmhaMHInk8Zfspp2wD+v3pTBXulT1RnZXpgqlmj6q1En
7FxcFqZt0vKrzwwD03UEKcGcFr2LMwEqHnvS6T72p+G01YYXqLQxRGF2ZSBBaXRl
bCAoSW1tdW5pdHksIEluYykgPGRhdmVAaW1tdW5pdHlzZWMuY29tPohXBBMRAgAX
BQI89jMsBQsHCgMEAxUDAgMWAgECF4AACgkQB8JNm+PA+iXUMwCfUS1m4/6qGyCu
p6DzFmHmVUt4n+QAn3PNlcAwuxHQEZFXSNinaGqeaOh/uQQNBDz2NDsQEADUTJtg
Ka1HREaF5V3nhSLCtidFltjaSGWP8mn6JBy9wbRrhuC0jopg8VrCqTrFYoJtA5H8
AE5lZIKkEEDZoQxhF5saS0+tKm2n7r+UnMSxa/faUvWsdCv79oLY7/812fwoIb18
6OwooTw8qzHZ2SXsFCl+J3ySPsJk8D27sedjQ7xfMu7ZMhiuqY3jX/11MG4Rex5X
FvDRViVImC/fI/g9khV7MxazjEf1YYoz1zXZmhI2ImrZMmeLCp+RBGoGEJJsHhq3
yYnPj7JObe1CDRZbdX2pRs415c+WnDCFEqRUB0beHIe3Cv5DsQMHIiC6LUq5U5tu
qzE6Y03QXW7P6wRWb83pJHO9A0X0JeKaun7LjcRp5/8R24GQY5mFjuhFwPxMFVX9
CnZaJBIhIPFaY+XE4RRKyrmWZzDp91aMFuG53YO9fx9I4YhBT73fFX/Q1jf17uzD
m55ZNv2lDcsPQUm66f96190E2TvUg/VB47LOSpaxB9qqOKNYzU2iE1BjB7t4c1+d
Bp5wG1E9JP2V7ZwI2/KfJ9SIPoQ0l+8MhwiFqD9j7eZ6/d9G9+ojJQrXuEY7dYxr
Z9w1FchEKREKM84ZE5v+cSxAk7VvpASIg4n66nvYM4VEz/cJhkE7v7kLYgOoqY/g
NFKa4UWhmO+eRTti0wXAitLC/xTfeDKEn9riCwADBQ//dj5eZ1Bll8toOGZzNkqJ
YOSQEqltY6DXR3UHPeABit8MnSngDvHrpUZ9961q7ZhDV8MpUg0xTDWBfHuAvBfq
aQzV+5vig3bQHl7EM+KiSaEnXfydxAsHcRTI7PlAf9QuzBeIYWRaaf/HpmJsnWoe
Kv2HUFdyRN3lyycCfqTq0DPgMpueIgkpzbr/K69+x5MlC5yorrfTqlPz1bM1e2V2
25hnzXa2olLK6dza24zx/vJ2yuERZcCEg4Z/Vc4zG+YM04v18KxL8ydVjxGObAyq
brHZUg7202OgO/wyWYBfzkK2EZdtcfscprgg89p8uqQo/rXL921xAsRfHIJW4UKb
0lhGaYyB9dTeKJgpB5qb3N0ZTl+xLW6MGQ+7PazgM0AMyXPvJ9+q8tvT4KWu9H7L
yvkQ8d21GovI2p7y2U9vwriDFnttyCCcLbtqhbS52WlY8yNxSrrXSrX6gJqQnZNx
U34hJniLAvkyqVXScz3EkZV5oswab2p6+jtCYh0VCT1Fu9evRdSGjt8daG8KUxiw
KYTy6ZFSe/4NYkXbkJB0A3kWzCXxc9jzGcmRPuMxrnkAT+2owo0xluIVrGtav/RR
K/2R3P/EIo8BoIgHZn4uj4yZfvWrbtoZY6Eu3viz1Iengl8xnk3o5PjcTe78aHFL
9rAcrnhl+c/giJIGi3gYbXqIRgQYEQIABgUCPPY0OwAKCRAHwk2b48D6JZy5AJsE
oSCgQcZkkqfxocvt2Aa9GNM0NwCfdNmulDQgACapPQ44n0gfr4RJf50=
=b7FC
-----END PGP PUBLIC KEY BLOCK-----

application/pgp-signature attachment: This is a digitally signed message part

Next message: Ryan Russell: "Re: Sybase contact"
Previous message: 2c79cbe14ac7d0b8472d3f129fa1df: "remote winamp 2.x exploit (all current versions)"
In reply to: noir sin: "UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd)"
Next in thread: noir sin: "Re: UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd)"
Reply: noir sin: "Re: UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 05 2002 - 09:33:54 PDT