Package: chkrootkit
Version: 0.44-2
When processes with long command lines (>1024 byte) are running then
chkrootkit may have false positives for LKM Trojan. The reason is that
chkproc crashes with "OooPS, not expected 123456789 value".
The bug can be reproduced by running, e.g.,
xmessage `perl -e 'print "123456789 " x 150'`
(just to have a process with long command line) and then running
chkrootkit.
The bug can be found in the source chkproc.c lines 164-183
while (fgets(buf, MAX_BUF, ps))
{
p = buf;
#if defined(__sun)
while (isspace(*p)) /* Skip spaces */
p++;
#endif
while (!isspace(*p)) /* Skip User */
p++;
while (isspace(*p)) /* Skip spaces */
p++;
/* printf(">>%s<<\n", p); /* -- DEBUG */
ret = atol(p);
if ( ret < 0 || ret > MAX_PROCESSES )
{
fprintf (stderr, " OooPS, not expected %d value\n", ret);
exit (2);
}
psproc[ret] = 1;
}
This loop reads the output of a ps command. But this fails if ps outputs
a line longer than 1024 (=MAX_BUF) bytes. When processing a long line,
fgets first returns the first 1024 bytes of the line and then the
following parts. But the loop body takes the continued line for a new
line of the ps output. If, as in the given example, the commandline
contains words starting with numbers then these numbers may be taken as
process ids.
Instead, when processing long lines, it must be checked if the whole
line has already been read before the next loop starts.
Hope that helped...
Ingo.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
