DR rootkit released under the GPL
By Jake Edge
September 10, 2008
A free software Linux rootkit has been announced with a number of
interesting features. Its availability may, unfortunately, help lower the bar
for "script kiddies" and others, but it also provides a nice look into what
makes up a rootkit. The rootkit, called DR for Debug Register, uses some
new techniques to evade
detection, such that even a change recently proposed for inclusion in the
kernel would have missed it.
A rootkit is malware that typically hooks into the kernel to hide its
presence from administrators. Usually, rootkits can hide their processes
from /proc, which in turn means ps won't see them, but
sophisticated rootkits do much more than that. DR can also hide network
sockets and files in the filesystem that are associated with rootkit processes.
There are some benefits to this approach as
the announcement describes:
The major benefit of the DR rootkit is that all this happens
transparently to the end user. The children of a hidden process are also
automatically hidden. The sockets a hidden process creates are also
hidden. But if you are a hidden process, you can see hidden resources.
This makes the DR rootkit nicely manageable.
Unlike many rootkits, DR does not alter the system call table directly.
Instead it sets a hardware breakpoint for the syscall_call()
function which gets called whenever a system call is made. When that
breakpoint is reached, a handler is set up to watch for an access to the
memory location where the specific system call's function pointer lives
(i.e. syscall_table[__NR_syscall]). When the address is retrieved
from that location, the breakpoint substitutes the address of the code the
rootkit wants to run—the system call hook.
The system call hooks is where the work is done to evade detection. By
hooking less than a dozen different calls, DR can hide its processes,
files, and sockets. By creating a program that does an exec()
of a special filename—one that starts with
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"—one can set the "hidden" bit on the
process; spawning a shell or running some malware after the exec()
fails will cause those processes to no longer be visible to the rest of the
system.
There are some limitations outlined in the announcement, the biggest of
which is that DR is implemented as a kernel module without any attempt to
hide its presence. Doing an lsmod will show it clearly, but there
are other ways to detect it as well. Fixing those are all are on the "to
do" list and
won't take a very large effort to complete.
DR was created by Immunity, Inc. as part of their
penetration testing efforts and has been released under the GPLv2. It
contains roughly 1200 lines of well-documented code that should be of
interest to anyone curious about rootkits. It is not the first rootkit
available with source code, Adore predates it by several
years and there are probably others, but it is an interesting—if a
bit scary—release.
Comments (4 posted)
New vulnerabilities
adminutil: multiple vulnerabilities
| Package(s): | adminutil |
CVE #(s): | CVE-2008-2928
CVE-2008-2929
CVE-2008-2932
|
| Created: | September 10, 2008 |
Updated: | September 10, 2008 |
| Description: |
adminutil suffers from several vulnerabilities, including a buffer overflow in its accept-language parsing code and a heap overflow in input parsing. |
| Alerts: |
|
Comments (none posted)
awstats: cross-site scripting
| Package(s): | awstats |
CVE #(s): | CVE-2008-3714
|
| Created: | September 10, 2008 |
Updated: | December 8, 2008 |
| Description: |
awstats through version 6.8 suffers from a cross-site scripting vulnerability; see this page for details. |
| Alerts: |
|
Comments (none posted)
bitlbee: account hijack
| Package(s): | bitlbee |
CVE #(s): | CVE-2008-3920
CVE-2008-3969
|
| Created: | September 5, 2008 |
Updated: | September 24, 2008 |
| Description: |
Upstream released Bitlbee 1.2.2 with the following changes to the former
release: - Security bugfix: It was possible to hijack accounts (without
gaining access to the old account, it's simply an overwrite) - Some more
stability improvements. The 1.2.3 release "completes" the fix for thsese problems. |
| Alerts: |
|
Comments (none posted)
clamav: multiple vulnerabilities
| Package(s): | clamav |
CVE #(s): | CVE-2008-1389
CVE-2008-3912
CVE-2008-3913
CVE-2008-3914
|
| Created: | September 10, 2008 |
Updated: | November 14, 2008 |
| Description: |
Version 0.94 of clamav fixes a number of problems, including a number of denial of service vulnerabilities and "a number of unspecified vulnerabilities". |
| Alerts: |
|
Comments (none posted)
courier-authlib: SQL injection
| Package(s): | courier-authlib |
CVE #(s): | CVE-2008-2667
|
| Created: | September 8, 2008 |
Updated: | December 26, 2008 |
| Description: |
From the Gentoo advisory:
It has been discovered that some input (e.g. the username) passed to
the library are not properly sanitised before being used in SQL
queries.
A remote attacker could provide specially crafted input to the library,
possibly resulting in the remote execution of arbitrary SQL commands.
NOTE: Exploitation of this vulnerability requires that a MySQL database
is used for authentication and that a Non-Latin character set is
selected.
|
| Alerts: |
|
Comments (none posted)
django: cross-site request forgery
| Package(s): | django |
CVE #(s): | |
| Created: | September 4, 2008 |
Updated: | September 10, 2008 |
| Description: |
From the Mandriva alert:
A cross-site request forgery vulnerability was discovered in Django
that, if exploited, could be used to perform unrequested deletion or
modification of data. Updated versions of Django will now discard
posts from users whose sessions have expired, so data will need to
be re-entered in these cases. |
| Alerts: |
|
Comments (none posted)
drupal: multiple vulnerabilities
| Package(s): | drupal |
CVE #(s): | CVE-2008-3740
CVE-2008-3741
CVE-2008-3742
CVE-2008-3744
|
| Created: | September 10, 2008 |
Updated: | September 10, 2008 |
| Description: |
Versions of drupal through 5.9 have several vulnerabilities, including multiple cross-site scripting issues, an unrestricted upload problem, and multiple cross-site request forgery problems. |
| Alerts: |
|
Comments (none posted)
php: multiple vulnerabilities
| Package(s): | php |
CVE #(s): | |
| Created: | September 4, 2008 |
Updated: | September 10, 2008 |
| Description: |
PHP 4 has four vulnerabilities.
From the Slackware
change log
for PHP 4.4.9:
Fixed overflow in memnstr().
Fixed crash in imageloadfont when an invalid font is given.
Fixed open_basedir handling issue in the curl extension.
Fixed bug #27421 (mbstring.func_overload set in .htaccess becomes global).
This is the final Slackware release for PHP 4. |
| Alerts: |
|
Comments (none posted)
R: temporary file vulnerability
| Package(s): | R |
CVE #(s): | |
| Created: | September 10, 2008 |
Updated: | September 10, 2008 |
| Description: |
The R programming language suffers from a temporary file vulnerability in its "javareconf" script. |
| Alerts: |
|
Comments (none posted)
samba: wrong permissions of group_mapping.ldb
| Package(s): | samba |
CVE #(s): | CVE-2008-3789
|
| Created: | September 5, 2008 |
Updated: | December 3, 2008 |
| Description: |
From the samba advisory: The file group_mapping.ldb is created with the permissions 0666. That means everyone is able to edit this file and gain additional access rights while connecting remotely to the Samba server. By manipulating the SID mappings contained in this file, it is also possible to establish a connection that runs in the privileged root context.
|
| Alerts: |
|
Comments (none posted)
vlc: multiple vulnerabilities
| Package(s): | vlc |
CVE #(s): | CVE-2008-3732
CVE-2008-3794
|
| Created: | September 8, 2008 |
Updated: | September 10, 2008 |
| Description: |
From the Gentoo advisory:
g_ reported the following vulnerabilities:
* An integer overflow leading to a heap-based buffer overflow in the
Open() function in modules/demux/tta.c (CVE-2008-3732).
* A signedness error leading to a stack-based buffer overflow in the
mms_ReceiveCommand() function in modules/access/mms/mmstu.c
(CVE-2008-3794).
A remote attacker could entice a user to open a specially crafted file,
possibly resulting in the remote execution of arbitrary code with the
privileges of the user running the application.
|
| Alerts: |
|
Comments (none posted)
wordpress: privilege escalation
| Package(s): | wordpress |
CVE #(s): | CVE-2008-3747
|
| Created: | September 5, 2008 |
Updated: | September 12, 2008 |
| Description: |
The (1) get_edit_post_link and (2) get_edit_comment_link functions in
wp-includes/link-template.php in WordPress before 2.6.1 do not force SSL
communication in the intended situations, which might allow remote
attackers to gain administrative access by sniffing the network for a
cookie. |
| Alerts: |
|
Comments (none posted)
xastir: insecure temporary files
| Package(s): | xastir |
CVE #(s): | |
| Created: | September 5, 2008 |
Updated: | September 10, 2008 |
| Description: |
Multiple insecure temporary file usage flaws were identified in the get-
maptools.sh and get_shapelib.sh scripts shipped in xastir packages.
As those scripts are not needed with Fedora-distributed xastir packages
(they automate installation of libraries used by xastir, which are provided
in the Fedora archive in the pre-packaged RPM format), they were removed. |
| Alerts: |
|
Comments (none posted)
xine-lib: denial of service
| Package(s): | xine-lib |
CVE #(s): | CVE-2008-3231
|
| Created: | September 10, 2008 |
Updated: | September 10, 2008 |
| Description: |
xine-lib up to version 1.1.15 suffers from a denial-of-service vulnerability exploitable via a corrupted Ogg file. There are also "multiple possible buffer overflows." See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
