LKM rootkits in 2.6.x

LKM rootkits in 2.6.x

[pg smith]

Any thoughts on the future of LKM rootkits in the 2.6 kernel branch ? In
the last few years I've become quite interested in them (from a defensive
point of view), but with the 2.6 kernel no longer exporting the syscall
table, intercepting system calls would appear to be a non-starter now. In
a perverse sort of way, i'm actually rather dissapointed: all that
learning gone to waste.

Cheers,

Pete

Re: LKM rootkits in 2.6.x

[Dave Jones]

On Thu, Mar 11, 2004 at 11:26:23AM -0800, pg smith wrote:
 > Any thoughts on the future of LKM rootkits in the 2.6 kernel branch ? In
 > the last few years I've become quite interested in them (from a defensive
 > point of view), but with the 2.6 kernel no longer exporting the syscall
 > table, intercepting system calls would appear to be a non-starter now.

Don't bet on it.  They'll just start doing what binary-only driver vendors
have been doing for months.. If the table isn't exported, they find a symbol
that is exported, and grovel around in memory near there until they find
something that looks like it, and patch accordingly.

		Dave

Re: LKM rootkits in 2.6.x

[Christophe Saout]

Am Do, den 11.03.2004 schrieb Dave Jones um 19:48:

> Don't bet on it.  They'll just start doing what binary-only driver vendors
> have been doing for months.. If the table isn't exported, they find a symbol
> that is exported, and grovel around in memory near there until they find
> something that looks like it, and patch accordingly.

Ugh... this sounds ugly. This should be forbidden. I mean, what are
things like EXPORT_SYMBOL_GPL for if drivers are allowed to patch
whatever they want?

Re: LKM rootkits in 2.6.x

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 392 bytes --]

On Thu, 11 Mar 2004 20:16:28 +0100, Christophe Saout said:

> Ugh... this sounds ugly. This should be forbidden. I mean, what are
> things like EXPORT_SYMBOL_GPL for if drivers are allowed to patch
> whatever they want?

If the binary blob knows enough about the innards to be able to do binary
patching, it's a derived work and should be GPL.

Even the NVidia driver isn't *that* evil... :)

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: LKM rootkits in 2.6.x

[Horst von Brand]

Christophe Saout <christophe@saout.de> said:
> On Thu, 11 Mar 2004 20:16:28 +0100, Christophe Saout said:
> 
> > Ugh... this sounds ugly. This should be forbidden. I mean, what are
> > things like EXPORT_SYMBOL_GPL for if drivers are allowed to patch
> > whatever they want?
> 
> If the binary blob knows enough about the innards to be able to do binary
> patching, it's a derived work and should be GPL.

You are more than wellcome to use it as you see fit, and distribute it as
widely as you can ;-)

> Even the NVidia driver isn't *that* evil... :)

:-)
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513

Re: LKM rootkits in 2.6.x

[Timothy Miller]

Valdis.Kletnieks@vt.edu wrote:
> On Thu, 11 Mar 2004 20:16:28 +0100, Christophe Saout said:
> 
> 
>>Ugh... this sounds ugly. This should be forbidden. I mean, what are
>>things like EXPORT_SYMBOL_GPL for if drivers are allowed to patch
>>whatever they want?
> 
> 
> If the binary blob knows enough about the innards to be able to do binary
> patching, it's a derived work and should be GPL.

Maybe!

Unless the offset of an unexported symbol relative to an exported one is 
simply a "fact" which therefore can't be copyrighted.

This sort of thing would probably be unethical, but it might be legal.

Re: LKM rootkits in 2.6.x

[Måns Rullgård]

Christophe Saout <christophe@saout.de> writes:

> Am Do, den 11.03.2004 schrieb Dave Jones um 19:48:
>
>> Don't bet on it.  They'll just start doing what binary-only driver vendors
>> have been doing for months.. If the table isn't exported, they find a symbol
>> that is exported, and grovel around in memory near there until they find
>> something that looks like it, and patch accordingly.
>
> Ugh... this sounds ugly. This should be forbidden. I mean, what are
> things like EXPORT_SYMBOL_GPL for if drivers are allowed to patch
> whatever they want?

Who is to stop them?  When running in kernel mode you are god.

-- 
Måns Rullgård
mru@kth.se

Re: LKM rootkits in 2.6.x

[Tomasz Torcz]

On Thu, Mar 11, 2004 at 08:31:49PM +0100, M?ns Rullg?rd wrote:
> Christophe Saout <christophe@saout.de> writes:
> > Ugh... this sounds ugly. This should be forbidden. I mean, what are
> > things like EXPORT_SYMBOL_GPL for if drivers are allowed to patch
> > whatever they want?
> 
> Who is to stop them?  When running in kernel mode you are god.

 Uhm, Next Generation Secure Computing Base? Running in ring -1. ;)

Sorry, I couldn't resist ;)
-- 
Tomasz Torcz                Only gods can safely risk perfection,     
zdzichu@irc.-nie.spam-.pl     it's a dangerous thing for a man.  -- Alia

Re: LKM rootkits in 2.6.x

[Horst von Brand]

Christophe Saout <christophe@saout.de> said:
> Am Do, den 11.03.2004 schrieb Dave Jones um 19:48:

> > Don't bet on it.  They'll just start doing what binary-only driver vendors
> > have been doing for months.. If the table isn't exported, they find a
> > symbol that is exported, and grovel around in memory near there until
> > they find something that looks like it, and patch accordingly.

> Ugh... this sounds ugly. This should be forbidden. I mean, what are
> things like EXPORT_SYMBOL_GPL for if drivers are allowed to patch
> whatever they want?

It _is_ forbidden. This isn't any kind of accident we are talking about,
this is out and out fraud.
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513

Re: LKM rootkits in 2.6.x

[Christophe Saout]

Am Do, den 11.03.2004 schrieb Horst von Brand um 21:33:

> > > Don't bet on it.  They'll just start doing what binary-only driver vendors
> > > have been doing for months.. If the table isn't exported, they find a
> > > symbol that is exported, and grovel around in memory near there until
> > > they find something that looks like it, and patch accordingly.
> 
> > Ugh... this sounds ugly. This should be forbidden. I mean, what are
> > things like EXPORT_SYMBOL_GPL for if drivers are allowed to patch
> > whatever they want?
> 
> It _is_ forbidden. This isn't any kind of accident we are talking about,
> this is out and out fraud.

I'm talking about binary modules, not rootkits. Vendors aren't doing
forbidden things, are they?

Re: LKM rootkits in 2.6.x

[Dave Jones]

On Thu, Mar 11, 2004 at 09:35:32PM +0100, Christophe Saout wrote:

 > > It _is_ forbidden. This isn't any kind of accident we are talking about,
 > > this is out and out fraud.
 > 
 > I'm talking about binary modules, not rootkits. Vendors aren't doing
 > forbidden things, are they?

Yes.

		Dave

Re: LKM rootkits in 2.6.x

[Dax Kelson]

On Thu, 2004-03-11 at 16:50, Dave Jones wrote:
> On Thu, Mar 11, 2004 at 09:35:32PM +0100, Christophe Saout wrote:
> 
>  > > It _is_ forbidden. This isn't any kind of accident we are talking about,
>  > > this is out and out fraud.
>  > 
>  > I'm talking about binary modules, not rootkits. Vendors aren't doing
>  > forbidden things, are they?
> 
> Yes.
> 
> 		Dave

What Vendors and modules?

Re: LKM rootkits in 2.6.x

[Dave Jones]

On Thu, Mar 11, 2004 at 05:51:33PM -0700, Dax Kelson wrote:
 > On Thu, 2004-03-11 at 16:50, Dave Jones wrote:
 > > On Thu, Mar 11, 2004 at 09:35:32PM +0100, Christophe Saout wrote:
 > > 
 > >  > > It _is_ forbidden. This isn't any kind of accident we are talking about,
 > >  > > this is out and out fraud.
 > >  > 
 > >  > I'm talking about binary modules, not rootkits. Vendors aren't doing
 > >  > forbidden things, are they?
 > > Yes.
 > What Vendors and modules?

Most recent one I saw was some 'antivirus' filescanning module.
The name escapes me. It was mentioned on l-k at the time.
It wasn't the first by any means however. This trick has been used
since vendors stopped exporting sys_call_table.

		Dave

Re: LKM rootkits in 2.6.x

[Jirka Kosina]

On Thu, 11 Mar 2004, Dave Jones wrote:

>  > Any thoughts on the future of LKM rootkits in the 2.6 kernel branch ? In
>  > the last few years I've become quite interested in them (from a defensive
>  > point of view), but with the 2.6 kernel no longer exporting the syscall
>  > table, intercepting system calls would appear to be a non-starter now.
> Don't bet on it.  They'll just start doing what binary-only driver vendors
> have been doing for months.. If the table isn't exported, they find a symbol
> that is exported, and grovel around in memory near there until they find
> something that looks like it, and patch accordingly.

Why bother .. just find any symbol (function name) which is exported to
modules and also being frequently called somehow indirectly from userland
(VFS layer functions, vm functions, ...) and use this function as an
open-backdoor spell.

It is easy to patch existing rootkits this way.

-- 
JiKos.

Re: LKM rootkits in 2.6.x

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 779 bytes --]

On Thu, 11 Mar 2004 11:26:23 PST, pg smith <pete@linuxbox.co.uk>  said:
> Any thoughts on the future of LKM rootkits in the 2.6 kernel branch ? In

Speak of the devil...

Subject: Announcing full functional adore-ng rootkit for 2.6 Kernel
From: stealth <stealth@segfault.net>
Date: Thu, 11 Mar 2004 10:27:00 +0000
To: bugtraq@securityfocus.com

Hi,

At http://stealth.7350.org/rootkits/adore-ng-0.41.tgz you find
the complete port of adore-ng for the Linux kernel 2.6. All
of the stuff you know from earlier kernel 2.4 versions such
as socket-, process- and file-hiding, syslog- and [uw]tmp filtering
has been ported. Additionally since version 0.32 a buffer overflow has
been fixed (doh!) which could lead to crashes when a lot of network
connections exist.

regards,
stealth-


[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: LKM rootkits in 2.6.x

[Paul Rolland]

> 
> Subject: Announcing full functional adore-ng rootkit for 2.6 Kernel
> From: stealth <stealth@segfault.net>
> Date: Thu, 11 Mar 2004 10:27:00 +0000
> To: bugtraq@securityfocus.com
> 
> Hi,
> 
> At http://stealth.7350.org/rootkits/adore-ng-0.41.tgz you find
> the complete port of adore-ng for the Linux kernel 2.6. All
> of the stuff you know from earlier kernel 2.4 versions such

>From the FEATURES file :
 o does not utilize sys_call_table but VFS layer

Seems to be that easy... Should we hide VFS layer now :-)

Regards,
Paul

Re: LKM rootkits in 2.6.x

[Horst von Brand]

pg smith <pete@linuxbox.co.uk> said:
> Any thoughts on the future of LKM rootkits in the 2.6 kernel branch ? In
> the last few years I've become quite interested in them (from a defensive
> point of view), but with the 2.6 kernel no longer exporting the syscall
> table, intercepting system calls would appear to be a non-starter now. In
> a perverse sort of way, i'm actually rather dissapointed: all that
> learning gone to waste.

If you get to load a module, you are in-kernel. Once there, you can either
use what you know are the offsets for $distro-$version-$arch kernel and be
in business as usual, or fool around on your own. Harder than before, yes.
Impossible, by no means.
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513