7. Scanners

 

Enough research will tend to support your theory.

 Murphy's Law of Research

This is the platform dependent part of Scanners (i). It contains three things:

All together this results in a kind of time warp. The infection methods detected here are described later on. And the list of found clean targets has already been used.

7.1. Finding executables

This is the output of find-exec.sh as described in Finding executables (i). The sample of file's output down below (at Food for segment padding) might explain how the sed part is supposed to work.

Linux distributions and Solaris have very few statically linked programs. On FreeBSD the number is much higher.

Output: out/i386-redhat8.0-linux/scanner/big.wc
[] /bin /sbin /usr/bin /usr/sbin /usr/lib
     17 out/i386-redhat8.0-linux/scanner/big.static
   1763 out/i386-redhat8.0-linux/scanner/big.dynamic
   1780 total

Output: out/i386-redhat8.0-linux/scanner/small.wc
[_infected] tmp/i386-redhat8.0-linux
      8 out/i386-redhat8.0-linux/scanner/small.static
     19 out/i386-redhat8.0-linux/scanner/small.dynamic
     27 total

7.2. Scan entry point

See Sections for the illustrative description of a dumped ELF header. The script itself is at Scan entry point (i).

Output: out/i386-redhat8.0-linux/scanner/entry_point/big.static
files=0017; detected=0000

Output: out/i386-redhat8.0-linux/scanner/entry_point/big.dynamic
files=1763; detected=0000

On a clean system there are absolutely no deviations. Now we let the script loose on all infected executables produced from the sources of this document. Only a few are detected (note the directory name e1i1). Which means there is cure against this vulnerability (see The entry point). In the following output ep means "entry point" and sot is "start of .text".

Output: out/i386-redhat8.0-linux/scanner/entry_point/small.static
segment_padding/e1i1/ash.static_infected     ep=0x80b3490  sot=0x80480e0 
additional_cs/e1i1/ash.static_infected       ep=0x8046760  sot=0x80480e0 
additional_cs/e1i1/rpm_infected              ep=0x8046bf0  sot=0x80480e0 
files=0008; detected=0003

Output: out/i386-redhat8.0-linux/scanner/entry_point/small.dynamic
segment_padding/e1i1/tcsh_infected           ep=0x8091360  sot=0x804a130 
segment_padding/e1i1/sync_infected           ep=0x804a310  sot=0x8048ab0 
segment_padding/e1i1/strip_tcsh_infected     ep=0x8091360  sot=0x804a130 
additional_cs/e1i1/bash_infected             ep=0x8046e10  sot=0x805a740 
additional_cs/e1i1/strip_bash_infected       ep=0x8046e10  sot=0x805a740 
files=0019; detected=0005

7.3. Scan segments

This is the output of Scan segments (i); only the last few lines of output are shown.

Output: out/i386-redhat8.0-linux/scanner/segment_padding/big.static
CHECK: 1264 > 4096; 0x4f0 > 0x1000
CHECK: /sbin/sash
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x1000)
CHECK: 2120 > 4096; 0x848 > 0x1000
CHECK: /sbin/sash
CHECK: src/scanner/segment_padding/action.inc#20
CHECK: (delta) > (0x1000)
CHECK: 2120 > 4096; 0x848 > 0x1000
files=17; ok=7; det_page=10; det_align=10; min=0x0030; max=0x101c

Output: out/i386-redhat8.0-linux/scanner/segment_padding/big.dynamic
CHECK: 72 > 4096; 0x48 > 0x1000
CHECK: /usr/lib/GNUstep/Apps/WPrefs.app/WPrefs
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x1000)
CHECK: 32 > 4096; 0x20 > 0x1000
CHECK: /usr/lib/GNUstep/Apps/WPrefs.app/WPrefs
CHECK: src/scanner/segment_padding/action.inc#20
CHECK: (delta) > (0x1000)
CHECK: 32 > 4096; 0x20 > 0x1000
files=1763; ok=799; det_page=964; det_align=964; min=0x0015; max=0x101f

On this installation at least 799 + 7 files are possible targets for Segment padding infection. So on to all infected executables created from the sources of this document. Again only the last few lines of output is shown. It's enough to see that all infected files are detected.

Output: out/i386-redhat8.0-linux/scanner/segment_padding/small.static
CHECK: 20 > 4096; 0x14 > 0x1000
CHECK: doing_it_in_c/e3i4/ash.static_infected
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x1000)
CHECK: 20 > 4096; 0x14 > 0x1000
CHECK: doing_it_in_c/e3i4/ash.static_infected
CHECK: src/scanner/segment_padding/action.inc#20
CHECK: (delta) > (0x1000)
CHECK: 20 > 4096; 0x14 > 0x1000
files=8; ok=0; det_page=8; det_align=6; min=0x0014; max=0x0014

Output: out/i386-redhat8.0-linux/scanner/segment_padding/small.dynamic
CHECK: 1 > 4096; 0x1 > 0x1000
CHECK: doing_it_in_c/e3i4/strip_tcsh_infected
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x1000)
CHECK: 8 > 4096; 0x8 > 0x1000
CHECK: doing_it_in_c/e3i4/strip_tcsh_infected
CHECK: src/scanner/segment_padding/action.inc#20
CHECK: (delta) > (0x1000)
CHECK: 8 > 4096; 0x8 > 0x1000
files=19; ok=0; det_page=19; det_align=17; min=0x0001; max=0x0008

7.4. A kingdom for a shell

I want to demonstrate infection methods on a shell. The usual suspect is /bin/sh. But on some systems that particular executable is not vulnerable to Segment padding infection. A systematic search for targets starts with extraction of pure file names from the scanner logs.

Source: pre/i386-redhat8.0-linux/scanner/find-ok.sh
#!/bin/bash
scanner=${1:-segment_padding}
prefix=$2
for src in out/i386-redhat8.0-linux/scanner/$1/big.*.full
do
  /bin/sed -ne 's/ \.\.\. .* Ok$//p' \
  < ${src} > ${src%.full}.ok
done
/usr/bin/wc -l out/i386-redhat8.0-linux/scanner/$1/*.ok

Output: out/i386-redhat8.0-linux/scanner/segment_padding/find-ok
    799 out/i386-redhat8.0-linux/scanner/segment_padding/big.dynamic.ok
      7 out/i386-redhat8.0-linux/scanner/segment_padding/big.static.ok
    806 total

These lists can be searched for acceptable file names.

Source: pre/i386-redhat8.0-linux/scanner/find-shell.sh
#!/bin/bash
scanner="$1"
/bin/grep -h -f ./src/scanner/find-shell.lst \
	out/i386-redhat8.0-linux/scanner/${scanner}/*.ok
exit 0

Source: src/scanner/find-shell.lst
bin/ash\>
bin/bash\>
bin/bsh\>
bin/csh\>
bin/ksh\>
bin/nash\>
bin/sash\>
bin/sh\>
bin/tcsh\>

And the winner is …

Output: out/i386-redhat8.0-linux/scanner/segment_padding/find-shell
/bin/tcsh
/bin/ash.static

7.5. Food for segment padding

This is the output of Food for segment padding (i)

Output: out/i386-redhat8.0-linux/scanner/segment_padding/infect
/bin/tcsh
/bin/ash.static
/bin/sync

To avoid any suspicion of inadequate paranoia another test with file.

Output: out/i386-redhat8.0-linux/scanner/segment_padding/infect.filetype
/bin/tcsh:       ELF 32-bit LSB executable, Intel 80386, version 1
(SYSV), dynamically linked (uses shared libs), not stripped
/bin/ash.static: ELF 32-bit LSB executable, Intel 80386, version 1
(SYSV), statically linked, not stripped
/bin/sync:       ELF 32-bit LSB executable, Intel 80386, version 1
(SYSV), dynamically linked (uses shared libs), stripped

7.6. Scan file size

No detected system files is a strong indication that the heuristic is working. The reverse test requires another infection method, the "File virus". Not implemented, yet. Note that the diagnostics below are issued by function target_get_seg (i), not Scan file size (i).

Output: out/i386-redhat8.0-linux/scanner/filesize/small.dynamic
CHECK: additional_cs/e1i1/bash_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
CHECK: additional_cs/e1i1/strip_bash_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
files=19; ok=17; detected=2