Enough research will tend to support your theory. | |
| Murphy's Law of Research |
This is the platform dependent part of Scanners (i). It contains three things:
Verifying peculiarities of system files.
Choosing appropriate targets to demonstrate infection methods.
Testing scanners on all infected executables.
All together this results in a kind of time warp. The infection methods detected here are described later on. And the list of found clean targets has already been used.
This is the output of find-exec.sh as described in Finding executables (i). The sample of file's output down below (at Food for segment padding) might explain how the sed part is supposed to work.
Linux distributions and Solaris have very few statically linked programs. On FreeBSD the number is much higher.
Output: out/sparc-debian2.2-linux/scanner/big.wc
[] /bin /sbin /usr/bin /usr/sbin /usr/lib
2 out/sparc-debian2.2-linux/scanner/big.static
632 out/sparc-debian2.2-linux/scanner/big.dynamic
634 total |
Output: out/sparc-debian2.2-linux/scanner/small.wc
[_infected] tmp/sparc-debian2.2-linux
2 out/sparc-debian2.2-linux/scanner/small.static
6 out/sparc-debian2.2-linux/scanner/small.dynamic
8 total |
See Sections for the illustrative description of a dumped ELF header. The script itself is at Scan entry point (i).
Output: out/sparc-debian2.2-linux/scanner/entry_point/big.static
files=0002; detected=0000 |
Output: out/sparc-debian2.2-linux/scanner/entry_point/big.dynamic
files=0632; detected=0000 |
On a clean system there are absolutely no deviations. Now we let the script loose on all infected executables produced from the sources of this document. Only a few are detected (note the directory name e1i1). Which means there is cure against this vulnerability (see The entry point). In the following output ep means "entry point" and sot is "start of .text".
Output: out/sparc-debian2.2-linux/scanner/entry_point/small.static
segment_padding/e1i1/ldd_infected ep=0x4e220 sot=0x100e0
additional_cs/e1i1/ldd_infected ep=0xe890 sot=0x100e0
files=0002; detected=0002 |
Output: out/sparc-debian2.2-linux/scanner/entry_point/small.dynamic
segment_padding/e1i1/bash_infected ep=0x85770 sot=0x1f598
segment_padding/e1i1/sync_infected ep=0x12450 sot=0x109f8
segment_padding/e1i1/strip_bash_infected ep=0x85770 sot=0x1f598
additional_cs/e1i1/bash_infected ep=0xe3b0 sot=0x1f598
additional_cs/e1i1/sync_infected ep=0xeb30 sot=0x109f8
additional_cs/e1i1/strip_bash_infected ep=0xe3b0 sot=0x1f598
files=0006; detected=0006 |
This is the output of Scan segments (i); only the last few lines of output are shown.
Output: out/sparc-debian2.2-linux/scanner/segment_padding/big.static
CHECK: /usr/bin/ldd
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 65536 > 65536; 0x10000 > 0x10000
files=2; ok=2; det_page=0; det_align=1; min=0x10000; max=0x10004 |
Output: out/sparc-debian2.2-linux/scanner/segment_padding/big.dynamic
CHECK: 65536 > 65536; 0x10000 > 0x10000
CHECK: /usr/lib/emacs/20.7/sparc-debian-linux-gnu/hexl
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 65536 > 65536; 0x10000 > 0x10000
CHECK: /usr/lib/postgresql/bin/postgres
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 65536 > 65536; 0x10000 > 0x10000
files=632; ok=632; det_page=0; det_align=59; min=0x10000; max=0x10006 |
On this installation at least 632 + 2 files are possible targets for Segment padding infection. So on to all infected executables created from the sources of this document. Again only the last few lines of output is shown. It's enough to see that all infected files are detected.
Output: out/sparc-debian2.2-linux/scanner/segment_padding/small.static
CHECK: segment_padding/e1i1/ldd_infected
CHECK: src/scanner/segment_padding/action.inc#17
CHECK: (delta) > (0x10000)
CHECK: 61440 > 65536; 0xf000 > 0x10000
CHECK: additional_cs/e1i1/ldd_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
files=2; ok=1; det_page=1; det_align=1; min=0xf000; max=0xf000 |
Output: out/sparc-debian2.2-linux/scanner/segment_padding/small.dynamic
CHECK: 3 == 2; 0x3 == 0x2
CHECK: additional_cs/e1i1/sync_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
CHECK: additional_cs/e1i1/strip_bash_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
files=6; ok=3; det_page=3; det_align=3; min=0xf001; max=0xf005 |
I want to demonstrate infection methods on a shell. The usual suspect is /bin/sh. But on some systems that particular executable is not vulnerable to Segment padding infection. A systematic search for targets starts with extraction of pure file names from the scanner logs.
Source: pre/sparc-debian2.2-linux/scanner/find-ok.sh
#!/bin/bash
scanner=${1:-segment_padding}
prefix=$2
for src in out/sparc-debian2.2-linux/scanner/$1/big.*.full
do
/bin/sed -ne 's/ \.\.\. .* Ok$//p' \
< ${src} > ${src%.full}.ok
done
/usr/bin/wc -l out/sparc-debian2.2-linux/scanner/$1/*.ok |
Output: out/sparc-debian2.2-linux/scanner/segment_padding/find-ok
632 out/sparc-debian2.2-linux/scanner/segment_padding/big.dynamic.ok
2 out/sparc-debian2.2-linux/scanner/segment_padding/big.static.ok
634 total |
These lists can be searched for acceptable file names.
Source: pre/sparc-debian2.2-linux/scanner/find-shell.sh
#!/bin/bash
scanner="$1"
/bin/grep -h -f ./src/scanner/find-shell.lst \
out/sparc-debian2.2-linux/scanner/${scanner}/*.ok
exit 0 |
Source: src/scanner/find-shell.lst
bin/ash\>
bin/bash\>
bin/bsh\>
bin/csh\>
bin/ksh\>
bin/nash\>
bin/sash\>
bin/sh\>
bin/tcsh\> |
And the winner is …
Output: out/sparc-debian2.2-linux/scanner/segment_padding/find-shell
/bin/bash
/usr/bin/tcsh |
This is the output of Food for segment padding (i)
Output: out/sparc-debian2.2-linux/scanner/segment_padding/infect
/bin/bash
/usr/bin/ldd
/bin/sync |
To avoid any suspicion of inadequate paranoia another test with file.
Output: out/sparc-debian2.2-linux/scanner/segment_padding/infect.filetype
/bin/bash: ELF 32-bit MSB executable, SPARC, version 1, dynamically
linked (uses shared libs), stripped
/usr/bin/ldd: ELF 32-bit MSB executable, SPARC, version 1, statically
linked, stripped
/bin/sync: ELF 32-bit MSB executable, SPARC, version 1, dynamically
linked (uses shared libs), stripped |
Output: out/sparc-debian2.2-linux/scanner/filesize/big.dynamic
files=632; ok=632; detected=0 |
Output: out/sparc-debian2.2-linux/scanner/filesize/big.static
files=2; ok=2; detected=0 |
No detected system files is a strong indication that the heuristic is working. The reverse test requires another infection method, the "File virus". Not implemented, yet. Note that the diagnostics below are issued by function target_get_seg (i), not Scan file size (i).
Output: out/sparc-debian2.2-linux/scanner/filesize/small.dynamic
CHECK: 3 == 2; 0x3 == 0x2
CHECK: additional_cs/e1i1/sync_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
CHECK: additional_cs/e1i1/strip_bash_infected
CHECK: src/one_step_closer/get_seg.inc#25
CHECK: (nr_load) == (2)
CHECK: 3 == 2; 0x3 == 0x2
files=6; ok=3; detected=3 |