[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit-0.31 and possible bug?



On Thu, Jun 06, 2002 at 07:15:24PM +0200, Willi Dyck wrote:
> on a daily basis I do run chkrootkit version 0.31 on a server I
> maintain. Today chkrootkit reported the following:
> 
>    Checking `lkm'... You have 1 process hidden for readdir command
>    You have 1 process hidden for ps command
>    Warning: Possible LKM Trojan installed
> 
> That, of course, got me shocked. I then ran chkrootkit manually and
> what? This complain disappeared!

The code snippet below contains an obvious race.  It first runs readdir
and ps and caches the result, afterwards check every possible
/proc/<pid>.  If a perfectly ordinary process happens to get started
between both checks, it will show up on chkrootkit's radar.  It's always
a good attitude to be paranoid about security issues, but in this case I
believe the fact that you haven't been able to reproduce the warning
quite clearly shows that indeed you happened to hit the race condition.

>    /* Brute force */
>    strcpy(buf, "/proc/");
>    retps = retdir = 0;
>    for (i = 1; i <= MAX_PROCESSES; i++)
>    {
>       snprintf(&buf[6], 6, "%d", i); 
>       if (!chdir(buf))
>       {
>          if (!dirproc[i])
>          {
>             retdir++;
>             if (verbose)
> 	       printf ("PID %5d: not in readdir output\n", i);
>          }
>          if (!psproc[i])
>          {
>             retps++;
>             if (verbose)
> 	       printf ("PID %5d: not in ps output\n", i);
>          }
>       }
>    }
>    if (retdir)
>       printf("You have % 5d process hidden for readdir command\n", retdir);
>    if (retps)
>       printf("You have % 5d process hidden for ps command\n", retps);
>    return (retps+retps);
> }

Regards,

Daniel.


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



Reply to: