Mailinglist Archive: opensuse-bugs (4256 mails)

[bugzilla_noreply@xxxxxxxxxx]

https://bugzilla.novell.com/show_bug.cgi?id=738837

https://bugzilla.novell.com/show_bug.cgi?id=738837#c0


           Summary: chkrootkit not using "-p" directory for its own
                    sub-modules such as ifpromisc, chklastlog, chkwtmp,
                    etc
    Classification: openSUSE
           Product: openSUSE 12.1
           Version: Final
          Platform: x86-64
        OS/Version: openSUSE 11.4
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: Other
        AssignedTo: bnc-team-screening@xxxxxxxxxxxxxxxxxxxxxx
        ReportedBy: motlreg97@xxxxxxx
         QAContact: qa@xxxxxxx
          Found By: ---
           Blocker: ---


User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20100101
Firefox/9.0

I run chkrootkit from a read-only DVD which contains all system binaries, etc.
I also specify the "-p" option pointing to the DVD when running. This works
fine if chkrootkit is installed on the target machine; however, if I run on an
untrusted machine which does not have chkrootkit, I recieve the following
errors;

not tested: can't exec /sbin/ifpromisc
not tested: can't exec /sbin/chkutmp
not tested: can't exec /sbin/chklastlog
not tested: can't exec /sbin/chkwtmp

These files are on the secure DVD and they are executable.

Reproducible: Always

Steps to Reproduce:
1. Create a CD or DVD with system binaries including ALL chkrootkit programs.
2. Execute chkrootkit from CD/DVD on a machine which does not have chkrootkit
installed. Use "-p" to specify chkrootkit use the binaries on the CD/DVD.

Actual Results:  
not tested: can't exec /sbin/ifpromisc
not tested: can't exec /sbin/chkutmp
not tested: can't exec /sbin/chklastlog
not tested: can't exec /sbin/chkwtmp

Expected Results:  
Listed the results of the missing tests.

A quick examine of the chkrootkit script shows tests for the above listed files
being performed relative to "/".

 if [ ! -x /sbin/ifpromisc ]; then
      echo "not tested: can't exec /sbin/ifpromisc"
      return ${NOT_TESTED}
    else
      [ "${QUIET}" != "t" ] && /sbin/ifpromisc -v || /sbin/ifpromisc -q
 fi


Using the option "-r" to change the root directory solves the problem; however,
it creates a new problem by causing chkrootkit to run its various tests against
the structure specified by "-r". In my case, the tests would execute against my
DVD and not the desired untrusted target machine.

Although it is rather simple to modify the chkrootkit script, anyone using
chkrootkit will not discover this issue unless the machine they run against
does not have chkrootkit installed. Which means it is possible to run against
chkrootkit components that have been compromised.

If you cannot trust the binaries on the target machine, then nothing, including
the chkrootkit programs on the target, should not be trusted.

I believe chkrootkit should use the location defined by "-p" for all of its
tests and not rely on any version (if even present) on the untrusted machine.

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.