https://bugzilla.novell.com/show_bug.cgi?id=738837 https://bugzilla.novell.com/show_bug.cgi?id=738837#c0 Summary: chkrootkit not using "-p" directory for its own sub-modules such as ifpromisc, chklastlog, chkwtmp, etc Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: x86-64 OS/Version: openSUSE 11.4 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: motlreg97@aim.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20100101 Firefox/9.0 I run chkrootkit from a read-only DVD which contains all system binaries, etc. I also specify the "-p" option pointing to the DVD when running. This works fine if chkrootkit is installed on the target machine; however, if I run on an untrusted machine which does not have chkrootkit, I recieve the following errors; not tested: can't exec /sbin/ifpromisc not tested: can't exec /sbin/chkutmp not tested: can't exec /sbin/chklastlog not tested: can't exec /sbin/chkwtmp These files are on the secure DVD and they are executable. Reproducible: Always Steps to Reproduce: 1. Create a CD or DVD with system binaries including ALL chkrootkit programs. 2. Execute chkrootkit from CD/DVD on a machine which does not have chkrootkit installed. Use "-p" to specify chkrootkit use the binaries on the CD/DVD. Actual Results: not tested: can't exec /sbin/ifpromisc not tested: can't exec /sbin/chkutmp not tested: can't exec /sbin/chklastlog not tested: can't exec /sbin/chkwtmp Expected Results: Listed the results of the missing tests. A quick examine of the chkrootkit script shows tests for the above listed files being performed relative to "/". if [ ! -x /sbin/ifpromisc ]; then echo "not tested: can't exec /sbin/ifpromisc" return ${NOT_TESTED} else [ "${QUIET}" != "t" ] && /sbin/ifpromisc -v || /sbin/ifpromisc -q fi Using the option "-r" to change the root directory solves the problem; however, it creates a new problem by causing chkrootkit to run its various tests against the structure specified by "-r". In my case, the tests would execute against my DVD and not the desired untrusted target machine. Although it is rather simple to modify the chkrootkit script, anyone using chkrootkit will not discover this issue unless the machine they run against does not have chkrootkit installed. Which means it is possible to run against chkrootkit components that have been compromised. If you cannot trust the binaries on the target machine, then nothing, including the chkrootkit programs on the target, should not be trusted. I believe chkrootkit should use the location defined by "-p" for all of its tests and not rely on any version (if even present) on the untrusted machine. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.