Security
A rootkit dissected
A recently discovered Linux rootkit has a number of interesting attributes that make it worth a look. While it demonstrates the power that a rootkit has (to perform its "job" as well as hide itself from detection) this particular rootkit also has some fairly serious bugs—some that are almost comical. What isn't known, at least yet, is how the system where it was discovered became infected; there is no exploit used by the rootkit to propagate itself.
The rootkit was reported to the full-disclosure mailing list on November 13 by "stack trace". Customers had noticed that they were being redirected to malicious sites by means of an <iframe> in the HTTP responses from Stack Trace's site. Stack Trace eventually found that the Nginx web server on the system was not delivering the <iframe> and tracked it to a loadable kernel module, which was attached to the posting. Since then, both CrowdStrike and Kaspersky Lab's Threatpost have analyzed the module's behavior.
The first step for a rootkit is to get itself running in the kernel. That can be accomplished by means of a loadable kernel module. In this case, the module is targeted at the most recent 64-bit kernel version used by Debian 6.0 ("Squeeze"):
/lib/modules/2.6.32-5-amd64/kernel/sound/module_init.koThe presence of that file would indicate infection, though a look at the process list is required to determine if the rootkit is actually loaded. Once loaded, the module has a number of different tasks to perform that are described below. The CrowdStrike post has even more detail for those interested.
The rootkit targets HTTP traffic, so that it can inject an <iframe> containing an attack: either a malicious URL or some kind of JavaScript-based attack. In order to do that in a relatively undetectable way, it must impose itself into the kernel's TCP send path. It does so by hooking tcp_sendmsg().
Of course, that function and other symbols that the rootkit wants to access are not exported symbols that would be directly accessible to a kernel module. So the rootkit uses /proc/kallsyms to get the addresses it needs. Amusingly, there is code to fall back to looking for the proper System.map to parse for the addresses, but it is never used due to a bug. Even though the kernel version is hardcoded in several places in the rootkit, the System.map helper function actually uses uname -r to get the version. The inability to fall back to checking System.map, along with this version-getting oddity make it seem like multiple people—with little or no inter-communication—worked on the code. Other odd bugs in the rootkit only add to that feeling.
For example, when hooking various functions, the rootkit carefully saves away the five bytes it needs to overwrite with a jmp instruction, but then proceeds to write 19 bytes at the start of the function. That obliterates 14 bytes of code, which eliminates any possibility of unhooking the function. Beyond that, it can't call the unhooked version of the function either, so the rootkit contains private copies of all the functions it hooks.
Beyond hooking tcp_sendmsg(), the rootkit also attempts to hide its presence. There is code to hide the files that it installs, as well as its threads. The file hiding works well enough by hooking vfs_readdir() and using a list of directories and files that should not be returned. Fortunately (or unfortunately, depending on one's perspective), the thread hiding doesn't work at all. It uses the same file-hiding code, but doesn't look in /proc nor convert the names into PIDs, so ps and other tools show the threads. In the original report, Stack Trace noted two threads named get_http_inj_fr and write_startup_c; those names are fairly descriptive given the behavior being seen. The presence of one or both of those names in the process list would mean that the system has the rootkit loaded.
The rootkit does successfully remove itself from the list of loaded modules. It directly iterates down the kernel's module list and deletes the entry for itself. That way lsmod will not list the module, but it also means that it cannot be unloaded, obviating the "careful" preparations in the hooked functions for that eventuality.
As with other malware (botnets in particular), the rootkit has a "command and control" client. That client contacts a particular server (at a hosting service in Germany) for information about what to inject in the web pages. There is some simple, weak encryption used on the link for both authentication and obfuscation of the message.
Beyond just missing a way to propagate to other systems, the rootkit is also rather likely to fail to persist after a reboot. It has code to continuously monitor and alter /etc/rc.local to add an insmod for the rootkit module. It also hooks vfs_read() to look for the exact insmod line and adjusts the buffer to hide that line from anyone looking at the file. But it just appends the command to rc.local, which means that on a default installation of Debian Squeeze it ends up just after an exit 0 line.
Like much of the rest of the rootkit, the HTTP injection handling shows an odd mix of reasonably sensible choices along with some bugs. It looks at the first buffer to be sent to the remote side, verifies that its source port is 80 and that it is not being sent to the loopback address. It also compares the destination IP address with a list of 1708 search engine IP addresses, and does no further processing if it is on the list.
One of the bugs that allowed Stack Trace to diagnose the problem is the handling of status codes. Instead of looking for the 200 HTTP success code, the rootkit looks for three strings on a blacklist that correspond to HTTP failures. That list is not exhaustive, so Stack Trace was able to see the injection in a 400 HTTP error response. Beyond that, the rootkit cleverly handles chunked Transfer-Encodings and gzip Content-Encodings, though the latter does an in-kernel decompress-inject-compress cycle that could lead to noticeable server performance problems.
None of the abilities of the rootkit are particularly novel, though it is
interesting to see them laid bare like this. As should be obvious, a rootkit
can do an awful lot in a Linux system, and has plenty of ways to hide its
tracks. While this rootkit only hid some of its tracks, some of that may
have happened after the initial development. The CrowdStrike conclusion is
instructive here: "Rather, it seems that this is contract work of an
intermediate programmer with no extensive kernel experience, later
customized beyond repair by the buyer.
"
The question of how the rootkit was installed to begin with is still open.
Given the overall code quality, CrowdStrike is skeptical that some
"custom privilege escalation exploit
" was used. That implies
that some known but unpatched vulnerability (perhaps in a web application)
or some kind of credential leak (e.g. the root password or an SSH
key) was the culprit. Until and unless some mass exploit is used to
propagate an upgraded version of the rootkit, it is really only of academic
interest—except, of course, to anyone whose system is already infected.
Brief items
Security quotes of the week
Only governments have a voice at the ITU. This includes governments that do not support a free and open Internet. Engineers, companies, and people that build and use the web have no vote.
The ITU is also secretive. The treaty conference and proposals are confidential.
Attacking hardened Linux systems with kernel JIT spraying
The "main is usually a function" blog has a discussion on the use of "Jit spraying" techniques to attack the kernel, even when features like supervisor-mode execution prevention are turned on. "JIT spraying is a viable tactic when we (the attacker) control the input to a just-in-time compiler. The JIT will write into executable memory on our behalf, and we have some control over what it writes. Of course, a JIT compiling untrusted code will be careful with what instructions it produces. The trick of JIT spraying is that seemingly innocuous instructions can be trouble when looked at another way."
New Linux Rootkit Emerges (Threat Post)
Threat Post reports the discovery of a rootkit that targets 64-bit Linux systems. "The Linux rootkit does not appear to be a modified version of any known piece of malware and it first came to light last week when someone posted a quick description and analysis of it on the Full Disclosure mailing list. That poster said that his site had been targeted by the malware and some of his customers had been redirected to malicious sites."
New vulnerabilities
java-1.5.0-ibm: two vulnerabilities
Package(s): | java-1.5.0-ibm | CVE #(s): | CVE-2012-4820 CVE-2012-4822 | ||||||||||||||||
Created: | November 16, 2012 | Updated: | November 23, 2012 | ||||||||||||||||
Description: | From the Red Hat advisory: CVE-2012-4820 IBM JDK: java.lang.reflect.Method invoke() code execution CVE-2012-4822 IBM JDK: java.lang.class code execution | ||||||||||||||||||
Alerts: |
|
java-1.6.0-ibm: code execution
Package(s): | java-1.6.0-ibm | CVE #(s): | CVE-2012-4823 | ||||||||
Created: | November 16, 2012 | Updated: | November 21, 2012 | ||||||||
Description: | From the Red Hat advisory: CVE-2012-4823 IBM JDK: java.lang.ClassLoder defineClass() code execution | ||||||||||
Alerts: |
|
java-1.7.0-ibm: code execution
Package(s): | java-1.7.0-ibm | CVE #(s): | CVE-2012-4821 | ||||
Created: | November 16, 2012 | Updated: | November 21, 2012 | ||||
Description: | From the Red Hat advisory: CVE-2012-4821 IBM JDK: getDeclaredMethods() and setAccessible() code execution | ||||||
Alerts: |
|
kdelibs: multiple vulnerabilities
Package(s): | kdelibs | CVE #(s): | CVE-2012-4515 CVE-2012-4514 | ||||||||||||||||||||||||
Created: | November 16, 2012 | Updated: | February 18, 2013 | ||||||||||||||||||||||||
Description: | From the Fedora advisory: Bug #865831 - CVE-2012-4515 kdelibs: Use-after-free when context menu being used whilst the document DOM is being changed from within JavaScript Bug #869681 - CVE-2012-4514 kdelibs (khtml): NULL pointer dereference when trying to reuse a frame with null part | ||||||||||||||||||||||||||
Alerts: |
|
libtiff: code execution
Package(s): | tiff | CVE #(s): | CVE-2012-4564 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Created: | November 15, 2012 | Updated: | December 31, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description: | From the Ubuntu advisory: Huzaifa S. Sidhpurwala discovered that the ppm2tiff tool incorrectly handled certain malformed PPM images. If a user or automated system were tricked into opening a specially crafted PPM image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. (CVE-2012-4564) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Alerts: |
|
libunity-webapps: code execution
Package(s): | libunity-webapps | CVE #(s): | CVE-2012-4551 | ||||
Created: | November 21, 2012 | Updated: | November 21, 2012 | ||||
Description: | From the Ubuntu advisory:
It was discovered that libunity-webapps improperly handled certain hash tables. A remote attacker could use this issue to cause libunity-webapps to crash, or possibly execute arbitrary code. | ||||||
Alerts: |
|
mozilla: multiple vulnerabilities
Package(s): | firefox, thunderbird | CVE #(s): | CVE-2012-4201 CVE-2012-4202 CVE-2012-4207 CVE-2012-4209 CVE-2012-4210 CVE-2012-4214 CVE-2012-4215 CVE-2012-4216 CVE-2012-5829 CVE-2012-5830 CVE-2012-5833 CVE-2012-5835 CVE-2012-5839 CVE-2012-5840 CVE-2012-5841 CVE-2012-5842 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Created: | November 21, 2012 | Updated: | January 8, 2013 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description: | From the Red Hat advisory:
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5839, CVE-2012-5840, CVE-2012-5842) A buffer overflow flaw was found in the way Firefox handled GIF (Graphics Interchange Format) images. A web page containing a malicious GIF image could cause Firefox to crash or, possibly, execute arbitrary code with the privileges of the user running Firefox. (CVE-2012-4202) A flaw was found in the way the Style Inspector tool in Firefox handled certain Cascading Style Sheets (CSS). Running the tool (Tools -> Web Developer -> Inspect) on malicious CSS could result in the execution of HTML and CSS content with chrome privileges. (CVE-2012-4210) A flaw was found in the way Firefox decoded the HZ-GB-2312 character encoding. A web page containing malicious content could cause Firefox to run JavaScript code with the permissions of a different website. (CVE-2012-4207) A flaw was found in the location object implementation in Firefox. Malicious content could possibly use this flaw to allow restricted content to be loaded by plug-ins. (CVE-2012-4209) A flaw was found in the way cross-origin wrappers were implemented. Malicious content could use this flaw to perform cross-site scripting attacks. (CVE-2012-5841) A flaw was found in the evalInSandbox implementation in Firefox. Malicious content could use this flaw to perform cross-site scripting attacks. (CVE-2012-4201) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Alerts: |
|
mysql: multiple unspecified vulnerabilities
Package(s): | mysql | CVE #(s): | CVE-2012-0540 CVE-2012-1689 CVE-2012-1734 CVE-2012-2749 | ||||||||||||||||||||||||||||||||||||||||||||
Created: | November 15, 2012 | Updated: | October 17, 2013 | ||||||||||||||||||||||||||||||||||||||||||||
Description: | From the Red Hat advisory: 833737 - CVE-2012-2749 mysql: crash caused by wrong calculation of key length for sort order index 841349 - CVE-2012-0540 mysql: unspecified vulnerability related to GIS extension DoS (CPU Jul 2012) 841351 - CVE-2012-1689 mysql: unspecified vulnerability related to Server Optimizer DoS (CPU Jul 2012) 841353 - CVE-2012-1734 mysql: unspecified vulnerability related to Server Optimizer DoS (CPU Jul 2012) | ||||||||||||||||||||||||||||||||||||||||||||||
Alerts: |
|
phpmyadmin: cross-site scripting
Package(s): | phpmyadmin | CVE #(s): | CVE-2012-5339 CVE-2012-5368 | ||||
Created: | November 20, 2012 | Updated: | November 21, 2012 | ||||
Description: | From the CVE entries:
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.3 allow remote authenticated users to inject arbitrary web script or HTML via a crafted name of (1) an event, (2) a procedure, or (3) a trigger. (CVE-2012-5339) phpMyAdmin 3.5.x before 3.5.3 uses JavaScript code that is obtained through an HTTP session to phpmyadmin.net without SSL, which allows man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks by modifying this code. (CVE-2012-5368) | ||||||
Alerts: |
|
python-keyring: weak cryptography
Package(s): | python-keyring | CVE #(s): | CVE-2012-4571 | ||||||||
Created: | November 21, 2012 | Updated: | December 4, 2013 | ||||||||
Description: | From the Ubuntu advisory:
Dwayne Litzenberger discovered that Python Keyring's CryptedFileKeyring file format used weak cryptography. A local attacker may use this issue to brute-force CryptedFileKeyring keyring files. | ||||||||||
Alerts: |
|
ruby: denial of service
Package(s): | ruby | CVE #(s): | CVE-2012-5371 | ||||||||||||||||||||||||||||
Created: | November 19, 2012 | Updated: | December 7, 2012 | ||||||||||||||||||||||||||||
Description: | From the Red Hat bugzilla:
Ruby 1.9.3-p327 was released to correct a hash-flooding DoS vulnerability that only affects 1.9.x and the 2.0.0 preview [1]. As noted in the upstream report: Carefully crafted sequence of strings can cause a denial of service attack on the service that parses the sequence to create a Hash object by using the strings as keys. For instance, this vulnerability affects web application that parses the JSON data sent from untrusted entity. This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby 1.9 versions were using modified MurmurHash function but it's reported that there is a way to create sequence of strings that collide their hash values each other. This fix changes the Hash function of String object from the MurmurHash to SipHash 2-4. Ruby 1.8.x is not noted as being affected by this flaw. | ||||||||||||||||||||||||||||||
Alerts: |
|
typo3-src: multiple vulnerabilities
Package(s): | typo3-src | CVE #(s): | |||||
Created: | November 16, 2012 | Updated: | November 21, 2012 | ||||
Description: | From the Debian advisory: Several vulnerabilities were discovered in TYPO3, a content management system. This update addresses cross-site scripting, SQL injection, and information disclosure vulnerabilities and corresponds to TYPO3-CORE-SA-2012-005. | ||||||
Alerts: |
|
weechat: code execution
Package(s): | weechat | CVE #(s): | CVE-2012-5854 | ||||||||||||||||||||||||||||||||||||
Created: | November 19, 2012 | Updated: | November 28, 2012 | ||||||||||||||||||||||||||||||||||||
Description: | From the CVE entry:
Heap-based buffer overflow in WeeChat 0.3.6 through 0.3.9 allows remote attackers to cause a denial of service (crash or hang) and possibly execute arbitrary code via crafted IRC colors that are not properly decoded. | ||||||||||||||||||||||||||||||||||||||
Alerts: |
|
xen: multiple vulnerabilities
Package(s): | Xen | CVE #(s): | CVE-2012-3497 CVE-2012-4535 CVE-2012-4536 CVE-2012-4537 CVE-2012-4538 CVE-2012-4539 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Created: | November 16, 2012 | Updated: | December 24, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description: | From the SUSE advisory: * CVE-2012-4535: xen: Timer overflow DoS vulnerability (XSA 20) * CVE-2012-4536: xen: pirq range check DoS vulnerability (XSA 21) * CVE-2012-4537: xen: Memory mapping failure DoS vulnerability (XSA 22) * CVE-2012-4538: xen: Unhooking empty PAE entries DoS vulnerability (XSA 23) * CVE-2012-4539: xen: Grant table hypercall infinite loop DoS vulnerability (XSA 24) * CVE-2012-3497: xen: multiple TMEM hypercall vulnerabilities (XSA-15) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Alerts: |
|
Page editor: Jake Edge
Next page:
Kernel development>>