Enough research will tend to support your theory. | |
| Murphy's Law of Research |
This is the platform dependent part of Scanners (i). It contains three things:
Verifying peculiarities of system files.
Choosing appropriate targets to demonstrate infection methods.
Testing scanners on all infected executables.
All together this results in a kind of time warp. The infection methods detected here are described later on. And the list of found clean targets has already been used.
This is the output of find-exec.sh as described in Finding executables (i). The sample of file's output down below (at Food for segment padding) might explain how the sed part is supposed to work.
Linux distributions and Solaris have very few statically linked programs. On FreeBSD the number is much higher.
Output: out/i386-redhat8.0-linux/scanner/big.wc
[] /bin /sbin /usr/bin /usr/sbin /usr/lib
17 out/i386-redhat8.0-linux/scanner/big.static
1763 out/i386-redhat8.0-linux/scanner/big.dynamic
1780 total |
Output: out/i386-redhat8.0-linux/scanner/small.wc
[_infected] tmp/i386-redhat8.0-linux
8 out/i386-redhat8.0-linux/scanner/small.static
19 out/i386-redhat8.0-linux/scanner/small.dynamic
27 total |
See Sections for the illustrative description of a dumped ELF header. The script itself is at Scan entry point (i).
Output: out/i386-redhat8.0-linux/scanner/entry_point/big.static
files=0017; detected=0000 |
Output: out/i386-redhat8.0-linux/scanner/entry_point/big.dynamic
files=1763; detected=0000 |
On a clean system there are absolutely no deviations. Now we let the script loose on all infected executables produced from the sources of this document. Only a few are detected (note the directory name e1i1). Which means there is cure against this vulnerability (see The entry point). In the following output ep means "entry point" and sot is "start of .text".
Output: out/i386-redhat8.0-linux/scanner/entry_point/small.static
segment_padding/e1i1/ash.static_infected ep=0x80b3490 sot=0x80480e0
additional_cs/e1i1/ash.static_infected ep=0x8046760 sot=0x80480e0
additional_cs/e1i1/rpm_infected ep=0x8046bf0 sot=0x80480e0
files=0008; detected=0003 |
Output: out/i386-redhat8.0-linux/scanner/entry_point/small.dynamic
segment_padding/e1i1/tcsh_infected ep=0x8091360 sot=0x804a130
segment_padding/e1i1/sync_infected ep=0x804a310 sot=0x8048ab0
segment_padding/e1i1/strip_tcsh_infected ep=0x8091360 sot=0x804a130
additional_cs/e1i1/bash_infected ep=0x8046e10 sot=0x805a740
additional_cs/e1i1/strip_bash_infected ep=0x8046e10 sot=0x805a740
files=0019; detected=0005 |
This is the output of Scan segments (i); only the last few lines of output are shown.
Output: out/i386-redhat8.0-linux/scanner/segment_padding/big.static
CHECK: 1264 > 4096; 0x4f0 > 0x1000
CHECK: /sbin/sash
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x1000)
CHECK: 2120 > 4096; 0x848 > 0x1000
CHECK: /sbin/sash
CHECK: src/scanner/segment_padding/action.inc#20
CHECK: (delta) > (0x1000)
CHECK: 2120 > 4096; 0x848 > 0x1000
files=17; ok=7; det_page=10; det_align=10; min=0x0030; max=0x101c |
Output: out/i386-redhat8.0-linux/scanner/segment_padding/big.dynamic
CHECK: 72 > 4096; 0x48 > 0x1000
CHECK: /usr/lib/GNUstep/Apps/WPrefs.app/WPrefs
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x1000)
CHECK: 32 > 4096; 0x20 > 0x1000
CHECK: /usr/lib/GNUstep/Apps/WPrefs.app/WPrefs
CHECK: src/scanner/segment_padding/action.inc#20
CHECK: (delta) > (0x1000)
CHECK: 32 > 4096; 0x20 > 0x1000
files=1763; ok=799; det_page=964; det_align=964; min=0x0015; max=0x101f |
On this installation at least 799 + 7 files are possible targets for Segment padding infection. So on to all infected executables created from the sources of this document. Again only the last few lines of output is shown. It's enough to see that all infected files are detected.
Output: out/i386-redhat8.0-linux/scanner/segment_padding/small.static
CHECK: 20 > 4096; 0x14 > 0x1000
CHECK: doing_it_in_c/e3i4/ash.static_infected
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x1000)
CHECK: 20 > 4096; 0x14 > 0x1000
CHECK: doing_it_in_c/e3i4/ash.static_infected
CHECK: src/scanner/segment_padding/action.inc#20
CHECK: (delta) > (0x1000)
CHECK: 20 > 4096; 0x14 > 0x1000
files=8; ok=0; det_page=8; det_align=6; min=0x0014; max=0x0014 |
Output: out/i386-redhat8.0-linux/scanner/segment_padding/small.dynamic
CHECK: 1 > 4096; 0x1 > 0x1000
CHECK: doing_it_in_c/e3i4/strip_tcsh_infected
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x1000)
CHECK: 8 > 4096; 0x8 > 0x1000
CHECK: doing_it_in_c/e3i4/strip_tcsh_infected
CHECK: src/scanner/segment_padding/action.inc#20
CHECK: (delta) > (0x1000)
CHECK: 8 > 4096; 0x8 > 0x1000
files=19; ok=0; det_page=19; det_align=17; min=0x0001; max=0x0008 |
I want to demonstrate infection methods on a shell. The usual suspect is /bin/sh. But on some systems that particular executable is not vulnerable to Segment padding infection. A systematic search for targets starts with extraction of pure file names from the scanner logs.
Source: pre/i386-redhat8.0-linux/scanner/find-ok.sh
#!/bin/bash
scanner=${1:-segment_padding}
prefix=$2
for src in out/i386-redhat8.0-linux/scanner/$1/big.*.full
do
/bin/sed -ne 's/ \.\.\. .* Ok$//p' \
< ${src} > ${src%.full}.ok
done
/usr/bin/wc -l out/i386-redhat8.0-linux/scanner/$1/*.ok |
Output: out/i386-redhat8.0-linux/scanner/segment_padding/find-ok
799 out/i386-redhat8.0-linux/scanner/segment_padding/big.dynamic.ok
7 out/i386-redhat8.0-linux/scanner/segment_padding/big.static.ok
806 total |
These lists can be searched for acceptable file names.
Source: pre/i386-redhat8.0-linux/scanner/find-shell.sh
#!/bin/bash
scanner="$1"
/bin/grep -h -f ./src/scanner/find-shell.lst \
out/i386-redhat8.0-linux/scanner/${scanner}/*.ok
exit 0 |
Source: src/scanner/find-shell.lst
bin/ash\>
bin/bash\>
bin/bsh\>
bin/csh\>
bin/ksh\>
bin/nash\>
bin/sash\>
bin/sh\>
bin/tcsh\> |
And the winner is …
Output: out/i386-redhat8.0-linux/scanner/segment_padding/find-shell
/bin/tcsh
/bin/ash.static |
This is the output of Food for segment padding (i)
Output: out/i386-redhat8.0-linux/scanner/segment_padding/infect
/bin/tcsh
/bin/ash.static
/bin/sync |
To avoid any suspicion of inadequate paranoia another test with file.
Output: out/i386-redhat8.0-linux/scanner/segment_padding/infect.filetype
/bin/tcsh: ELF 32-bit LSB executable, Intel 80386, version 1
(SYSV), dynamically linked (uses shared libs), not stripped
/bin/ash.static: ELF 32-bit LSB executable, Intel 80386, version 1
(SYSV), statically linked, not stripped
/bin/sync: ELF 32-bit LSB executable, Intel 80386, version 1
(SYSV), dynamically linked (uses shared libs), stripped |
Output: out/i386-redhat8.0-linux/scanner/filesize/big.dynamic
files=1763; ok=1763; detected=0 |
Output: out/i386-redhat8.0-linux/scanner/filesize/big.static
files=17; ok=17; detected=0 |
No detected system files is a strong indication that the heuristic is working. The reverse test requires another infection method, the "File virus". Not implemented, yet. Note that the diagnostics below are issued by function target_get_seg (i), not Scan file size (i).
Output: out/i386-redhat8.0-linux/scanner/filesize/small.dynamic
CHECK: additional_cs/e1i1/bash_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
CHECK: additional_cs/e1i1/strip_bash_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
files=19; ok=17; detected=2 |