Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 02:33:05PM -0500, Noah L. Meyerhans wrote:
> On Thu, Mar 29, 2001 at 11:19:24AM -0800, Pat Moffitt wrote:
> > It is more than possible. There are people that have figured out
> > how to pad a file to make the checksums the same. They don't have
> > to worry about the
[snip]
> No, MD5 has not been cracked. There are theoretical vulnerabilities.
> Some people have been able to create 2 files that have the same
> checksum, but only if they have complete control over both files. It
> is not (currently) possible to take a given file and create another
> file with the same MD5 sum. That's not to say that it won't ever
> change, but
[snip]
Why bother even trying to modify the file to have the same checksum.
All the rootkit must do is keep the original file around, and either
select the compromised file or original depending on whether it is being
openned for reading or executing. A kernel module could be loaded
without rebooting to handle this if module loading is allowed. If a
program loader (eg. ld.so and company) wants to open a file, use the
(hidden) compromised file, otherwise, serve up the original.
I think this has already been done in a rootkit or two.
Patrick Maheral
Reply to: