7. Scanners

 

Enough research will tend to support your theory.

 Murphy's Law of Research

This is the platform dependent part of Scanners (i). It contains three things:

All together this results in a kind of time warp. The infection methods detected here are described later on. And the list of found clean targets has already been used.

7.1. Finding executables

This is the output of find-exec.sh as described in Finding executables (i). The sample of file's output down below (at Food for segment padding) might explain how the sed part is supposed to work.

Linux distributions and Solaris have very few statically linked programs. On FreeBSD the number is much higher.

Output: out/sparc-debian2.2-linux/scanner/big.wc
[] /bin /sbin /usr/bin /usr/sbin /usr/lib
      2 out/sparc-debian2.2-linux/scanner/big.static
    632 out/sparc-debian2.2-linux/scanner/big.dynamic
    634 total

Output: out/sparc-debian2.2-linux/scanner/small.wc
[_infected] tmp/sparc-debian2.2-linux
      2 out/sparc-debian2.2-linux/scanner/small.static
      6 out/sparc-debian2.2-linux/scanner/small.dynamic
      8 total

7.2. Scan entry point

See Sections for the illustrative description of a dumped ELF header. The script itself is at Scan entry point (i).

Output: out/sparc-debian2.2-linux/scanner/entry_point/big.static
files=0002; detected=0000

Output: out/sparc-debian2.2-linux/scanner/entry_point/big.dynamic
files=0632; detected=0000

On a clean system there are absolutely no deviations. Now we let the script loose on all infected executables produced from the sources of this document. Only a few are detected (note the directory name e1i1). Which means there is cure against this vulnerability (see The entry point). In the following output ep means "entry point" and sot is "start of .text".

Output: out/sparc-debian2.2-linux/scanner/entry_point/small.static
segment_padding/e1i1/ldd_infected            ep=0x4e220    sot=0x100e0   
additional_cs/e1i1/ldd_infected              ep=0xe890     sot=0x100e0   
files=0002; detected=0002

Output: out/sparc-debian2.2-linux/scanner/entry_point/small.dynamic
segment_padding/e1i1/bash_infected           ep=0x85770    sot=0x1f598   
segment_padding/e1i1/sync_infected           ep=0x12450    sot=0x109f8   
segment_padding/e1i1/strip_bash_infected     ep=0x85770    sot=0x1f598   
additional_cs/e1i1/bash_infected             ep=0xe3b0     sot=0x1f598   
additional_cs/e1i1/sync_infected             ep=0xeb30     sot=0x109f8   
additional_cs/e1i1/strip_bash_infected       ep=0xe3b0     sot=0x1f598   
files=0006; detected=0006

7.3. Scan segments

This is the output of Scan segments (i); only the last few lines of output are shown.

Output: out/sparc-debian2.2-linux/scanner/segment_padding/big.static
CHECK: /usr/bin/ldd
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 65536 > 65536; 0x10000 > 0x10000
files=2; ok=2; det_page=0; det_align=1; min=0x10000; max=0x10004

Output: out/sparc-debian2.2-linux/scanner/segment_padding/big.dynamic
CHECK: 65536 > 65536; 0x10000 > 0x10000
CHECK: /usr/lib/emacs/20.7/sparc-debian-linux-gnu/hexl
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 65536 > 65536; 0x10000 > 0x10000
CHECK: /usr/lib/postgresql/bin/postgres
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 65536 > 65536; 0x10000 > 0x10000
files=632; ok=632; det_page=0; det_align=59; min=0x10000; max=0x10006

On this installation at least 632 + 2 files are possible targets for Segment padding infection. So on to all infected executables created from the sources of this document. Again only the last few lines of output is shown. It's enough to see that all infected files are detected.

Output: out/sparc-debian2.2-linux/scanner/segment_padding/small.static
CHECK: segment_padding/e1i1/ldd_infected
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 61440 > 65536; 0xf000 > 0x10000
CHECK: additional_cs/e1i1/ldd_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
files=2; ok=1; det_page=1; det_align=1; min=0xf000; max=0xf000

Output: out/sparc-debian2.2-linux/scanner/segment_padding/small.dynamic
CHECK: 3 == 2; 0x3 == 0x2
CHECK: additional_cs/e1i1/sync_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
CHECK: additional_cs/e1i1/strip_bash_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
files=6; ok=3; det_page=3; det_align=3; min=0xf001; max=0xf005

7.4. A kingdom for a shell

I want to demonstrate infection methods on a shell. The usual suspect is /bin/sh. But on some systems that particular executable is not vulnerable to Segment padding infection. A systematic search for targets starts with extraction of pure file names from the scanner logs.

Source: pre/sparc-debian2.2-linux/scanner/find-ok.sh
#!/bin/bash
scanner=${1:-segment_padding}
prefix=$2
for src in out/sparc-debian2.2-linux/scanner/$1/big.*.full
do
  /bin/sed -ne 's/ \.\.\. .* Ok$//p' \
  < ${src} > ${src%.full}.ok
done
/usr/bin/wc -l out/sparc-debian2.2-linux/scanner/$1/*.ok

Output: out/sparc-debian2.2-linux/scanner/segment_padding/find-ok
    632 out/sparc-debian2.2-linux/scanner/segment_padding/big.dynamic.ok
      2 out/sparc-debian2.2-linux/scanner/segment_padding/big.static.ok
    634 total

These lists can be searched for acceptable file names.

Source: pre/sparc-debian2.2-linux/scanner/find-shell.sh
#!/bin/bash
scanner="$1"
/bin/grep -h -f ./src/scanner/find-shell.lst \
	out/sparc-debian2.2-linux/scanner/${scanner}/*.ok
exit 0

Source: src/scanner/find-shell.lst
bin/ash\>
bin/bash\>
bin/bsh\>
bin/csh\>
bin/ksh\>
bin/nash\>
bin/sash\>
bin/sh\>
bin/tcsh\>

And the winner is …

Output: out/sparc-debian2.2-linux/scanner/segment_padding/find-shell
/bin/bash
/usr/bin/tcsh

7.5. Food for segment padding

This is the output of Food for segment padding (i)

Output: out/sparc-debian2.2-linux/scanner/segment_padding/infect
/bin/bash
/usr/bin/ldd
/bin/sync

To avoid any suspicion of inadequate paranoia another test with file.

Output: out/sparc-debian2.2-linux/scanner/segment_padding/infect.filetype
/bin/bash:    ELF 32-bit MSB executable, SPARC, version 1, dynamically
linked (uses shared libs), stripped
/usr/bin/ldd: ELF 32-bit MSB executable, SPARC, version 1, statically
linked, stripped
/bin/sync:    ELF 32-bit MSB executable, SPARC, version 1, dynamically
linked (uses shared libs), stripped

7.6. Scan file size

No detected system files is a strong indication that the heuristic is working. The reverse test requires another infection method, the "File virus". Not implemented, yet. Note that the diagnostics below are issued by function target_get_seg (i), not Scan file size (i).

Output: out/sparc-debian2.2-linux/scanner/filesize/small.dynamic
CHECK: 3 == 2; 0x3 == 0x2
CHECK: additional_cs/e1i1/sync_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
CHECK: additional_cs/e1i1/strip_bash_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
files=6; ok=3; detected=3