Re: UnBodyGuard a.k.a Bouncer (Solaris kernel function hijacking) (fwd)

[Dave Aitel <dave () immunitysec com>]

I can't run any version of bouncer on my test Solaris 8 Ultra 5 machine.
It panics the kernel with the same alignment error no matter which
version I run, even if I compile it with gcc 3.1, which is what
BodyGuard is compiled with. Are other people running into that as well?
This is just a fully patched up Solaris 8 box. 

I did create a new version of BodyGuard to test bouncer against. See
http://www.immunitysec.com/bodyguard.html. Actually, there is BG1.1,
which is a simple port of 1.0 and should work from Solaris 7 to Solaris
9. Also there is BG1.2, which will probably false-positive on 7 and 9,
but should detect bouncer2 modifying it on 8, and also checks SYS_exec,
in addition to SYS_execve and SYS_stat64. So it might catch the original
bouncer. I can't test it though, since every version of bouncer has
paniced my system. 

The integrity checking in 1.2 should take you at least 15 minutes to
IDA-Pro and patch up. I check a global variable that gets modified
inside verify_syscalls(). I'm surprised you didn't just implement a
filter on cmn_err(). The professional version does a lot of
self-deobfuscation and shellcode-like things to make life even more fun.

This sort of shenanigans is why I posed my business model more as a
service than as a product. Over a period of time, some version of
BodyGuard will catch any kernel trojan unawares, and it will be
detected. The only sign the hacker should have is of hacked boxes being
reinstalled after forensics has been done. 

In the long run, every computer is vulnerable to remote compromise, but
BodyGuard helps ensure that the hackers can't maintain their foothold on
that computer. The Demo version was hopefully a blitzkrieg that caught
the hackers unawares. If you haven't downloaded and run it, you probably
still have some time as everyone rushes to update their trojans.

Dave Aitel
Immunity, Inc
www.immunitysec.com

P.S.

md5sums for BodyGuard, since key distribution is still a hard problem:

If you need a high level of assurance, feel free to call, or e-mail
Immunity and we will read numbers back to you, or get our key into your
web of trust. 

bad0eb2337b465a8bb2f060cc3e3e023 GPG sig ImmunityBodyGuardDemo1.0.tar.gz
(Original public release - works on 7,8)

aafaf18c5eb4a18d4f9cdc47c2f25cb1 GPG sig BG1.1.tar.gz (1.0, but works on
7-9)

eda2cc6cb5aac6f6833dcaa2d70a59dd GPG sig BG1.2.tar.gz (works on 8,
checks SYS_exec, checks self integrity)


On Sun, 2002-07-07 at 08:10, noir sin wrote:
> apoligies for replying my own mail but i must say; i have sucessfully
> developed what i was talking about below... also fix an alignment issue
> that leads to a crash in some rare cases.
>
> you can download the new package from:
>
> http://gsu.linux.org.tr/~noir/b.tar.gz
>
> > primary_inhouse_kernel_function_used_by_bodyguard()
> > {
> >     .....
> > if(kobj_getsymvalue(verify_syscalls,1)){
> >     do page protection manipulation
> >     patch the proper place with "return TRUE" of the verify_syscalls()
> >     !! this will make verify_syscalls return TRUE meaning no problems
> >     }
> > ....
> >     do the realstuff ...
> > }
> >
> > this will render any kernel integrity level checker useless. solution
> > is simple integrity checkers have to be stealh to like their counterparts
> > (backdoors)
>
> here is how things are:
> bouncer hooks cmn_err()* and checks if verify_syscalls() resolvs, if YES
> it patches the first 2 instructions of verify_syscalls with "retl; nop;
>
> * cmn_err() is used for reporting to userland (through /var/adm/messages)
> so at _init() bodyguard call cmn_err() to report of its
> successful installation, nada!  bouncer kicks in and patches
> verify_syscall() ...
> ;0)
>
> now you can even change the sysent/sysent32 table with no worries ; )
> logs of BOUNCER in action:
>
> bash-2.03# uname -a
> SunOS slint 5.8 Generic_108528-09 sun4u sparc SUNW,Ultra-5_10
> bash-2.03# isainfo -b
> 64
> bash-2.03# cd BOUNCER/
> bash-2.03# modload b2
> bash-2.03#
> bash-2.03# /usr/local/sbin/sshd
> bash: /usr/lib/.funky/sshd: No such file or directory
> bash-2.03# cd ../BODYGUARD
> bash-2.03# sh runbodyguard_verifier.sh
> This is the license for BodyGuard Kernel Verifier, Demo Version 1.0
>
> ....
> Jul  7 04:45:50 slint bodyguard: [ID 801043 kern.notice] NOTICE:
> Installing Immunity BODYGUARD module!
> Jul  7 04:45:50 slint bodyguard: [ID 300378 kern.notice] NOTICE: If there
> are any problems, please e-mail Dave Aitel at dave () immunitysec com
> Jul  7 04:45:50 slint bodyguard: [ID 779008 kern.notice] NOTICE: This is
> just a demo version of the Immunity BODYGUARD product.
> Jul  7 04:45:50 slint bodyguard: [ID 530759 kern.notice] NOTICE: For a
> year-long site license, or limited source code license, please see
> http://www.immunitysec.com.
> Jul  7 04:45:50 slint bodyguard: [ID 222896 kern.notice] NOTICE: Done
> installing BODYGUARD.
> Jul  7 04:45:51 slint bodyguard: [ID 887483 kern.notice] NOTICE: Removing
> BODYGUARD module!
> Jul  7 05:01:22 slint bodyguard: [ID 801043 kern.notice] NOTICE:
> Installing Immunity BODYGUARD module!
> Jul  7 05:01:22 slint bodyguard: [ID 300378 kern.notice] NOTICE: If there
> are any problems, please e-mail Dave Aitel at dave () immunitysec com
> Jul  7 05:01:22 slint bodyguard: [ID 779008 kern.notice] NOTICE: This is
> just a demo version of the Immunity BODYGUARD product.
>
> bash-2.03# modload bodyguard
> bash-2.03# adb -k /dev/ksyms
> physmem 3b5b
> verify_syscalls/i
> verify_syscalls:
> verify_syscalls:                retl
>
> verify_syscalls+4:              nop
>
> cmn_err+0x94/i
> cmn_err+0x94:   call    uncle_steve_albini
>
> exece+0xc/i
> exece+0xc:      call    hook_execcommon
>
> later,
> noir

Attachment: signature.asc
Description: This is a digitally signed message part