Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 04:13:20PM -0500, Noah L. Meyerhans wrote: > > Yes, knark does this, and does it very well. It's available from > packetstorm, and I've seen it in action "in the wild". It's extremely > effective. Fortunately such rootkits are still very uncommon. I'm not > sure why that is, as they're no more difficult for the script kiddy > than any other rootkit. If used right, they're completely effective > against things like tripwire or AIDE. They can do more than just hide > files, too. indeed. > Note that LIDS is supposed to be able to detect Knark. It also helps to > portscan the machine from a known good system and look for ports that > should not be open (especially ports that don't look open on the > potentially cracked box). It's also worth it to reboot from a trusted > rescue disk, but don't use the standard rescue disks! They load modules > from the systems hard drive, one of which could insert knark. one can also use lcap to remove CAP_SYS_MODULE and CAP_SYS_RAWIO from the kernel capability bounding set. this makes it impossible to install modules and blocks access to /dev/mem, /dev/kmem and /proc/kcore even to root. this *should* make it pretty much impossible to install the kernel module without rebooting the machine (which should attract the attention and scruteny of a good admin). the problem with this approach is the intruder can remove the lcap call from the initscripts and reboot. before you say make the initscripts and kernel immutable and revoke CAP_LINUX_IMMUTABLE notice that revoking that capability does NOT disable root's access to the raw device files, so its still trivial for root to remove the immutible bit from any file using debugfs and mount -o remount /whatever. AFAICS there is no capability that blocks root's access to the raw disk device files, unlike the BSD securelevel. of course even if you could, its been said you cannot make / and /etc immutable without severly breaking the system which means the attacker need only do the following: cp -a /etc /etc.new mv /etc /etc.old mv /etc.new /etc reboot rm -rf /etc.old of course this again requires a reboot which should be noticed. both this and lids make system administration a royal pain (every security update will require a reboot into single user mode). lids can perhaps do a better job, but its funky to configure, breaks things and still makes admining the box a royal pain. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpHR9xo0zxS4.pgp Description: PGP signature
Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 04:13:20PM -0500, Noah L. Meyerhans wrote: > > Yes, knark does this, and does it very well. It's available from > packetstorm, and I've seen it in action "in the wild". It's extremely > effective. Fortunately such rootkits are still very uncommon. I'm not > sure why that is, as they're no more difficult for the script kiddy > than any other rootkit. If used right, they're completely effective > against things like tripwire or AIDE. They can do more than just hide > files, too. indeed. > Note that LIDS is supposed to be able to detect Knark. It also helps to > portscan the machine from a known good system and look for ports that > should not be open (especially ports that don't look open on the > potentially cracked box). It's also worth it to reboot from a trusted > rescue disk, but don't use the standard rescue disks! They load modules > from the systems hard drive, one of which could insert knark. one can also use lcap to remove CAP_SYS_MODULE and CAP_SYS_RAWIO from the kernel capability bounding set. this makes it impossible to install modules and blocks access to /dev/mem, /dev/kmem and /proc/kcore even to root. this *should* make it pretty much impossible to install the kernel module without rebooting the machine (which should attract the attention and scruteny of a good admin). the problem with this approach is the intruder can remove the lcap call from the initscripts and reboot. before you say make the initscripts and kernel immutable and revoke CAP_LINUX_IMMUTABLE notice that revoking that capability does NOT disable root's access to the raw device files, so its still trivial for root to remove the immutible bit from any file using debugfs and mount -o remount /whatever. AFAICS there is no capability that blocks root's access to the raw disk device files, unlike the BSD securelevel. of course even if you could, its been said you cannot make / and /etc immutable without severly breaking the system which means the attacker need only do the following: cp -a /etc /etc.new mv /etc /etc.old mv /etc.new /etc reboot rm -rf /etc.old of course this again requires a reboot which should be noticed. both this and lids make system administration a royal pain (every security update will require a reboot into single user mode). lids can perhaps do a better job, but its funky to configure, breaks things and still makes admining the box a royal pain. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 03:23:34PM -0500, Patrick Maheral wrote: > Why bother even trying to modify the file to have the same checksum. > All the rootkit must do is keep the original file around, and either > select the compromised file or original depending on whether it is being > openned for reading or executing. A kernel module could be loaded > without rebooting to handle this if module loading is allowed. If a > program loader (eg. ld.so and company) wants to open a file, use the > (hidden) compromised file, otherwise, serve up the original. Yes, knark does this, and does it very well. It's available from packetstorm, and I've seen it in action "in the wild". It's extremely effective. Fortunately such rootkits are still very uncommon. I'm not sure why that is, as they're no more difficult for the script kiddy than any other rootkit. If used right, they're completely effective against things like tripwire or AIDE. They can do more than just hide files, too. Note that LIDS is supposed to be able to detect Knark. It also helps to portscan the machine from a known good system and look for ports that should not be open (especially ports that don't look open on the potentially cracked box). It's also worth it to reboot from a trusted rescue disk, but don't use the standard rescue disks! They load modules from the systems hard drive, one of which could insert knark. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpK05RdBlZlu.pgp Description: PGP signature
RE: MD5 sums of individual files?
It would make it much harder (read not really possible) to make the files the same size. Tripwire checks these, I will have to take a look. Take my word for it, it is no fun getting hacked. And for those of us that aren't (weren't?) real security savvy, hire an over 18 year old hacker (most quit at 18 in the US because they can now be sent to prison), very enlightening (and most work cheap). Pat Moffitt MIS Administrator Western Recreational Vehicles, Inc. > -Original Message- > From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 29, 2001 11:33 AM > To: Debian Security List > Subject: Re: MD5 sums of individual files? > > > On Thu, Mar 29, 2001 at 11:19:24AM -0800, Pat Moffitt wrote: > > It is more than possible. There are people that have figured > out how to pad > > a file to make the checksums the same. They don't have to > worry about the > > fact that your checksums cannot be changed because they will > fake theirs to > > match. This is much more work and would require that the > hacker have more > > skills than the regular script kiddy. > > No, MD5 has not been cracked. There are theoretical vulnerabilities. > Some people have been able to create 2 files that have the same > checksum, but only if they have complete control over both files. It is > not (currently) possible to take a given file and create another file > with the same MD5 sum. That's not to say that it won't ever change, but > even if it does, there's no question that the file sizes would be > significantly different. Tripwire (and most likely other similar > products) track file sizes in addition to checksums. > > noah > > -- > ___ > | Web: http://web.morgul.net/~frodo/ > | PGP Public Key: http://web.morgul.net/~frodo/mail.html > >
Re: MD5 sums of individual files?
> If they root your box, they could mess with your gpg keyring and/or binary. > They could just spew out fake emails that say the thing was checked, and > even spin the floppy disk in case you were watching to make sure it was > doing a "real" check. OK, I give up. ;-) > You can't use a possibly-cracked machine to check itself, unless you are > checking for breakins on non-root accounts. (e.g. web page defacement if > they got in through httpd.) Agreed... or if only one machine is available, we're back to periodically booting from a safe, known, bootable CD-R with a kernel, a copy of the checksums and all of required binaries on it (which is fine unless someone broke into my house and replaced the CD-R ;-)). I guess I'll stick with what I have (i.e. the RO floppy) and hope that the script kiddie isn't thinking that far ahead (the last one that got through onto a previous RedHat box of mine wasn't, fortunately). KEN -- Kenneth J. Pronovici <[EMAIL PROTECTED]> Personal Homepage: http://www.skyjammer.com/~pronovic/ "The phrase, 'Happy as a clam' has never really held much meaning for me."
Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 02:33:05PM -0500, Noah L. Meyerhans wrote: > On Thu, Mar 29, 2001 at 11:19:24AM -0800, Pat Moffitt wrote: > > It is more than possible. There are people that have figured out > > how to pad a file to make the checksums the same. They don't have > > to worry about the [snip] > No, MD5 has not been cracked. There are theoretical vulnerabilities. > Some people have been able to create 2 files that have the same > checksum, but only if they have complete control over both files. It > is not (currently) possible to take a given file and create another > file with the same MD5 sum. That's not to say that it won't ever > change, but [snip] Why bother even trying to modify the file to have the same checksum. All the rootkit must do is keep the original file around, and either select the compromised file or original depending on whether it is being openned for reading or executing. A kernel module could be loaded without rebooting to handle this if module loading is allowed. If a program loader (eg. ld.so and company) wants to open a file, use the (hidden) compromised file, otherwise, serve up the original. I think this has already been done in a rootkit or two. Patrick Maheral
Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 01:04:47PM -0600, Kenneth Pronovici wrote: > Another option would be to not store the AIDE configuration file anywhere > that the cracker could see it. Without that configuration file, the > cracker would have no way to generate a valid, substitute list of > checksums. This is less workable, because that configuration file would > have to be "unhidden" every time AIDE needed to run, making a cron-based > schedule more difficult. Well, if the cracker is really good, you can't trust anything less than a boot from physically secure media (and one that doesn't trust anything on the system that's not physically secured) to run the scan anyway. :-( As you say, the scan's config has to be visible to him, so even if you ship the results off to another box for comparison with the "known good" signatures, all he has to do is install a fake scan program. This answers against nearly all checks less intrusive than a secure boot. Luckily, most crackers aren't capable of such subtlety... and so keeping the checklist on write-protected media is a reasonable approach. But security is a process, not a cron job. ;-)
Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 11:19:24AM -0800, Pat Moffitt wrote: > It is more than possible. There are people that have figured out how to pad > a file to make the checksums the same. They don't have to worry about the > fact that your checksums cannot be changed because they will fake theirs to > match. We're talking about MD5 hashes here, not CRC error detection codes. You're saying that people have broken MD5. If this were true, I would have heard about it by now! > This is much more work and would require that the hacker have more > skills than the regular script kiddy. AFAIK, this requires a computationally-infeasible amount of work. Besides, if you pad a file, then the length is wrong. You can check that too. (Of course, you could just change bytes mid-file, but that is probably even harder, i.e. still impossible without all the worlds computers and a lot of time.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Re: MD5 sums of individual files?
- Original Message - From: "Pat Moffitt" <[EMAIL PROTECTED]> To: Sent: Thursday, March 29, 2001 8:19 PM Subject: RE: MD5 sums of individual files? > It is more than possible. There are people that have figured out how to pad > a file to make the checksums the same. They don't have to worry about the > fact that your checksums cannot be changed because they will fake theirs to > match. This is much more work and would require that the hacker have more > skills than the regular script kiddy. If you're using SHA / MD5 / RIPE this should be next to impossible, as these algorithms are designed to protect against exactly this sort of attack. With SHA, which produces a 160-bit hash, it should take you around 2^^80 messages before you find 2 that have the same hash, and about 2^^159 before you can find one which has the same hash as one of mine. Of course, if you're using CRC32 for your checksum, that's a much easier problem :) Dan > > Pat Moffitt > MIS Administrator > Western Recreational Vehicles, Inc. > > > > -Original Message- > > From: Don Laursen [mailto:[EMAIL PROTECTED] > > Sent: Thursday, March 29, 2001 10:40 AM > > To: debian-security@lists.debian.org > > Subject: RE: MD5 sums of individual files? > > > > > > Ok with that said, how feasable is it for a cracker to install their > > rootkit, and mimic the checksummed files to match the contents of the > > floppy? Wouldn't he/she just have to unmount the exising floppy drive, > > remount it to his/her pseudo check sums? > > > > I'm probably missing the howto detail where the alert is generated before > > rootkit is installed. > > > > > > > > Thanks, > > Don > > > > > > > Yes, sorry, I wasn't clear about that. The floppy is mounted RO, plus > > > the disk's tab is moved to the RO position. I agree... I > > > wouldn't feel > > > comfortable or safe if the floppy was just mounted RO. > > > > > > > >> Another way to do this is to install the AIDE package, that performs an > > checksum > > >> to certain files that you specify in the configuratio by the > > way tripwire > > do > > >> it... It's so easy to install and send you an e-mail notifying > > the daily > > results > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 01:04:47PM -0600, Kenneth Pronovici wrote: > I see two ways to get around this: one solution is for me to GPG-sign the > AIDE > checksum list when I create it. Then I could check the signature in my > script > that runs AIDE, and I would know that it was me who created it. This would > be > more like what Tripwire's latest release does. If they root your box, they could mess with your gpg keyring and/or binary. They could just spew out fake emails that say the thing was checked, and even spin the floppy disk in case you were watching to make sure it was doing a "real" check. You can't use a possibly-cracked machine to check itself, unless you are checking for breakins on non-root accounts. (e.g. web page defacement if they got in through httpd.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Re: MD5 sums of individual files?
> That is something that I hadn't considered. The cracker could potentially > unmount /var/lib/aide/ro (where I have the floppy containing the AIDE > checksums mounted) and place in that directory a newly-generated list of > checksums, which AIDE would read the next time it runs. When I got the > report in my inbox, it would look like everything is fine. IMHO, definitely > a hole that's there regardless of whether I use a RO floppy or a CD-R. > Sometimes old fashioned solutions are the best. Print your log files on an old Dot-Matrix Printer. Costs very little, attacker can't screw with them after breaking in, and you can read them in the bath :) Dan
Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 11:19:24AM -0800, Pat Moffitt wrote: > It is more than possible. There are people that have figured out how to pad > a file to make the checksums the same. They don't have to worry about the > fact that your checksums cannot be changed because they will fake theirs to > match. This is much more work and would require that the hacker have more > skills than the regular script kiddy. No, MD5 has not been cracked. There are theoretical vulnerabilities. Some people have been able to create 2 files that have the same checksum, but only if they have complete control over both files. It is not (currently) possible to take a given file and create another file with the same MD5 sum. That's not to say that it won't ever change, but even if it does, there's no question that the file sizes would be significantly different. Tripwire (and most likely other similar products) track file sizes in addition to checksums. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpRZ2e0mpmJn.pgp Description: PGP signature
RE: MD5 sums of individual files?
It is more than possible. There are people that have figured out how to pad a file to make the checksums the same. They don't have to worry about the fact that your checksums cannot be changed because they will fake theirs to match. This is much more work and would require that the hacker have more skills than the regular script kiddy. Pat Moffitt MIS Administrator Western Recreational Vehicles, Inc. > -Original Message- > From: Don Laursen [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 29, 2001 10:40 AM > To: debian-security@lists.debian.org > Subject: RE: MD5 sums of individual files? > > > Ok with that said, how feasable is it for a cracker to install their > rootkit, and mimic the checksummed files to match the contents of the > floppy? Wouldn't he/she just have to unmount the exising floppy drive, > remount it to his/her pseudo check sums? > > I'm probably missing the howto detail where the alert is generated before > rootkit is installed. > > > > Thanks, > Don > > > > Yes, sorry, I wasn't clear about that. The floppy is mounted RO, plus > > the disk's tab is moved to the RO position. I agree... I > > wouldn't feel > > comfortable or safe if the floppy was just mounted RO. > > > > >> Another way to do this is to install the AIDE package, that performs an > checksum > >> to certain files that you specify in the configuratio by the > way tripwire > do > >> it... It's so easy to install and send you an e-mail notifying > the daily > results > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] >
Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 03:23:34PM -0500, Patrick Maheral wrote: > Why bother even trying to modify the file to have the same checksum. > All the rootkit must do is keep the original file around, and either > select the compromised file or original depending on whether it is being > openned for reading or executing. A kernel module could be loaded > without rebooting to handle this if module loading is allowed. If a > program loader (eg. ld.so and company) wants to open a file, use the > (hidden) compromised file, otherwise, serve up the original. Yes, knark does this, and does it very well. It's available from packetstorm, and I've seen it in action "in the wild". It's extremely effective. Fortunately such rootkits are still very uncommon. I'm not sure why that is, as they're no more difficult for the script kiddy than any other rootkit. If used right, they're completely effective against things like tripwire or AIDE. They can do more than just hide files, too. Note that LIDS is supposed to be able to detect Knark. It also helps to portscan the machine from a known good system and look for ports that should not be open (especially ports that don't look open on the potentially cracked box). It's also worth it to reboot from a trusted rescue disk, but don't use the standard rescue disks! They load modules from the systems hard drive, one of which could insert knark. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html PGP signature
RE: MD5 sums of individual files?
It would make it much harder (read not really possible) to make the files the same size. Tripwire checks these, I will have to take a look. Take my word for it, it is no fun getting hacked. And for those of us that aren't (weren't?) real security savvy, hire an over 18 year old hacker (most quit at 18 in the US because they can now be sent to prison), very enlightening (and most work cheap). Pat Moffitt MIS Administrator Western Recreational Vehicles, Inc. > -Original Message- > From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED]] > Sent: Thursday, March 29, 2001 11:33 AM > To: Debian Security List > Subject: Re: MD5 sums of individual files? > > > On Thu, Mar 29, 2001 at 11:19:24AM -0800, Pat Moffitt wrote: > > It is more than possible. There are people that have figured > out how to pad > > a file to make the checksums the same. They don't have to > worry about the > > fact that your checksums cannot be changed because they will > fake theirs to > > match. This is much more work and would require that the > hacker have more > > skills than the regular script kiddy. > > No, MD5 has not been cracked. There are theoretical vulnerabilities. > Some people have been able to create 2 files that have the same > checksum, but only if they have complete control over both files. It is > not (currently) possible to take a given file and create another file > with the same MD5 sum. That's not to say that it won't ever change, but > even if it does, there's no question that the file sizes would be > significantly different. Tripwire (and most likely other similar > products) track file sizes in addition to checksums. > > noah > > -- > ___ > | Web: http://web.morgul.net/~frodo/ > | PGP Public Key: http://web.morgul.net/~frodo/mail.html > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: MD5 sums of individual files?
> Ok with that said, how feasable is it for a cracker to install their > rootkit, and mimic the checksummed files to match the contents of the > floppy? Wouldn't he/she just have to unmount the exising floppy drive, > remount it to his/her pseudo check sums? > > I'm probably missing the howto detail where the alert is generated before > rootkit is installed. That is something that I hadn't considered. The cracker could potentially unmount /var/lib/aide/ro (where I have the floppy containing the AIDE checksums mounted) and place in that directory a newly-generated list of checksums, which AIDE would read the next time it runs. When I got the report in my inbox, it would look like everything is fine. IMHO, definitely a hole that's there regardless of whether I use a RO floppy or a CD-R. I see two ways to get around this: one solution is for me to GPG-sign the AIDE checksum list when I create it. Then I could check the signature in my script that runs AIDE, and I would know that it was me who created it. This would be more like what Tripwire's latest release does. Another option would be to not store the AIDE configuration file anywhere that the cracker could see it. Without that configuration file, the cracker would have no way to generate a valid, substitute list of checksums. This is less workable, because that configuration file would have to be "unhidden" every time AIDE needed to run, making a cron-based schedule more difficult. KEN -- Kenneth J. Pronovici <[EMAIL PROTECTED]> Personal Homepage: http://www.skyjammer.com/~pronovic/ "The phrase, 'Happy as a clam' has never really held much meaning for me."
Re: MD5 sums of individual files?
> If they root your box, they could mess with your gpg keyring and/or binary. > They could just spew out fake emails that say the thing was checked, and > even spin the floppy disk in case you were watching to make sure it was > doing a "real" check. OK, I give up. ;-) > You can't use a possibly-cracked machine to check itself, unless you are > checking for breakins on non-root accounts. (e.g. web page defacement if > they got in through httpd.) Agreed... or if only one machine is available, we're back to periodically booting from a safe, known, bootable CD-R with a kernel, a copy of the checksums and all of required binaries on it (which is fine unless someone broke into my house and replaced the CD-R ;-)). I guess I'll stick with what I have (i.e. the RO floppy) and hope that the script kiddie isn't thinking that far ahead (the last one that got through onto a previous RedHat box of mine wasn't, fortunately). KEN -- Kenneth J. Pronovici <[EMAIL PROTECTED]> Personal Homepage: http://www.skyjammer.com/~pronovic/ "The phrase, 'Happy as a clam' has never really held much meaning for me." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: MD5 sums of individual files?
Ok with that said, how feasable is it for a cracker to install their rootkit, and mimic the checksummed files to match the contents of the floppy? Wouldn't he/she just have to unmount the exising floppy drive, remount it to his/her pseudo check sums? I'm probably missing the howto detail where the alert is generated before rootkit is installed. Thanks, Don > Yes, sorry, I wasn't clear about that. The floppy is mounted RO, plus > the disk's tab is moved to the RO position. I agree... I > wouldn't feel > comfortable or safe if the floppy was just mounted RO. > >> Another way to do this is to install the AIDE package, that performs an checksum >> to certain files that you specify in the configuratio by the way tripwire do >> it... It's so easy to install and send you an e-mail notifying the daily results
Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 02:33:05PM -0500, Noah L. Meyerhans wrote: > On Thu, Mar 29, 2001 at 11:19:24AM -0800, Pat Moffitt wrote: > > It is more than possible. There are people that have figured out > > how to pad a file to make the checksums the same. They don't have > > to worry about the [snip] > No, MD5 has not been cracked. There are theoretical vulnerabilities. > Some people have been able to create 2 files that have the same > checksum, but only if they have complete control over both files. It > is not (currently) possible to take a given file and create another > file with the same MD5 sum. That's not to say that it won't ever > change, but [snip] Why bother even trying to modify the file to have the same checksum. All the rootkit must do is keep the original file around, and either select the compromised file or original depending on whether it is being openned for reading or executing. A kernel module could be loaded without rebooting to handle this if module loading is allowed. If a program loader (eg. ld.so and company) wants to open a file, use the (hidden) compromised file, otherwise, serve up the original. I think this has already been done in a rootkit or two. Patrick Maheral -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 01:04:47PM -0600, Kenneth Pronovici wrote: > Another option would be to not store the AIDE configuration file anywhere > that the cracker could see it. Without that configuration file, the > cracker would have no way to generate a valid, substitute list of > checksums. This is less workable, because that configuration file would > have to be "unhidden" every time AIDE needed to run, making a cron-based > schedule more difficult. Well, if the cracker is really good, you can't trust anything less than a boot from physically secure media (and one that doesn't trust anything on the system that's not physically secured) to run the scan anyway. :-( As you say, the scan's config has to be visible to him, so even if you ship the results off to another box for comparison with the "known good" signatures, all he has to do is install a fake scan program. This answers against nearly all checks less intrusive than a secure boot. Luckily, most crackers aren't capable of such subtlety... and so keeping the checklist on write-protected media is a reasonable approach. But security is a process, not a cron job. ;-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 11:19:24AM -0800, Pat Moffitt wrote: > It is more than possible. There are people that have figured out how to pad > a file to make the checksums the same. They don't have to worry about the > fact that your checksums cannot be changed because they will fake theirs to > match. We're talking about MD5 hashes here, not CRC error detection codes. You're saying that people have broken MD5. If this were true, I would have heard about it by now! > This is much more work and would require that the hacker have more > skills than the regular script kiddy. AFAIK, this requires a computationally-infeasible amount of work. Besides, if you pad a file, then the length is wrong. You can check that too. (Of course, you could just change bytes mid-file, but that is probably even harder, i.e. still impossible without all the worlds computers and a lot of time.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of individual files?
- Original Message - From: "Pat Moffitt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 29, 2001 8:19 PM Subject: RE: MD5 sums of individual files? > It is more than possible. There are people that have figured out how to pad > a file to make the checksums the same. They don't have to worry about the > fact that your checksums cannot be changed because they will fake theirs to > match. This is much more work and would require that the hacker have more > skills than the regular script kiddy. If you're using SHA / MD5 / RIPE this should be next to impossible, as these algorithms are designed to protect against exactly this sort of attack. With SHA, which produces a 160-bit hash, it should take you around 2^^80 messages before you find 2 that have the same hash, and about 2^^159 before you can find one which has the same hash as one of mine. Of course, if you're using CRC32 for your checksum, that's a much easier problem :) Dan > > Pat Moffitt > MIS Administrator > Western Recreational Vehicles, Inc. > > > > -Original Message- > > From: Don Laursen [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, March 29, 2001 10:40 AM > > To: [EMAIL PROTECTED] > > Subject: RE: MD5 sums of individual files? > > > > > > Ok with that said, how feasable is it for a cracker to install their > > rootkit, and mimic the checksummed files to match the contents of the > > floppy? Wouldn't he/she just have to unmount the exising floppy drive, > > remount it to his/her pseudo check sums? > > > > I'm probably missing the howto detail where the alert is generated before > > rootkit is installed. > > > > > > > > Thanks, > > Don > > > > > > > Yes, sorry, I wasn't clear about that. The floppy is mounted RO, plus > > > the disk's tab is moved to the RO position. I agree... I > > > wouldn't feel > > > comfortable or safe if the floppy was just mounted RO. > > > > > > > >> Another way to do this is to install the AIDE package, that performs an > > checksum > > >> to certain files that you specify in the configuratio by the > > way tripwire > > do > > >> it... It's so easy to install and send you an e-mail notifying > > the daily > > results > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of individual files?
> You remount it, or you umount it and change the read/write tab on the > actual floppy? Yes, sorry, I wasn't clear about that. The floppy is mounted RO, plus the disk's tab is moved to the RO position. I agree... I wouldn't feel comfortable or safe if the floppy was just mounted RO. KEN -- Kenneth J. Pronovici <[EMAIL PROTECTED]> Personal Homepage: http://www.skyjammer.com/~pronovic/ "The phrase, 'Happy as a clam' has never really held much meaning for me."
Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 01:04:47PM -0600, Kenneth Pronovici wrote: > I see two ways to get around this: one solution is for me to GPG-sign the AIDE > checksum list when I create it. Then I could check the signature in my script > that runs AIDE, and I would know that it was me who created it. This would be > more like what Tripwire's latest release does. If they root your box, they could mess with your gpg keyring and/or binary. They could just spew out fake emails that say the thing was checked, and even spin the floppy disk in case you were watching to make sure it was doing a "real" check. You can't use a possibly-cracked machine to check itself, unless you are checking for breakins on non-root accounts. (e.g. web page defacement if they got in through httpd.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of individual files?
> That is something that I hadn't considered. The cracker could potentially > unmount /var/lib/aide/ro (where I have the floppy containing the AIDE > checksums mounted) and place in that directory a newly-generated list of > checksums, which AIDE would read the next time it runs. When I got the > report in my inbox, it would look like everything is fine. IMHO, definitely > a hole that's there regardless of whether I use a RO floppy or a CD-R. > Sometimes old fashioned solutions are the best. Print your log files on an old Dot-Matrix Printer. Costs very little, attacker can't screw with them after breaking in, and you can read them in the bath :) Dan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 11:19:24AM -0800, Pat Moffitt wrote: > It is more than possible. There are people that have figured out how to pad > a file to make the checksums the same. They don't have to worry about the > fact that your checksums cannot be changed because they will fake theirs to > match. This is much more work and would require that the hacker have more > skills than the regular script kiddy. No, MD5 has not been cracked. There are theoretical vulnerabilities. Some people have been able to create 2 files that have the same checksum, but only if they have complete control over both files. It is not (currently) possible to take a given file and create another file with the same MD5 sum. That's not to say that it won't ever change, but even if it does, there's no question that the file sizes would be significantly different. Tripwire (and most likely other similar products) track file sizes in addition to checksums. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html PGP signature
RE: MD5 sums of individual files?
It is more than possible. There are people that have figured out how to pad a file to make the checksums the same. They don't have to worry about the fact that your checksums cannot be changed because they will fake theirs to match. This is much more work and would require that the hacker have more skills than the regular script kiddy. Pat Moffitt MIS Administrator Western Recreational Vehicles, Inc. > -Original Message- > From: Don Laursen [mailto:[EMAIL PROTECTED]] > Sent: Thursday, March 29, 2001 10:40 AM > To: [EMAIL PROTECTED] > Subject: RE: MD5 sums of individual files? > > > Ok with that said, how feasable is it for a cracker to install their > rootkit, and mimic the checksummed files to match the contents of the > floppy? Wouldn't he/she just have to unmount the exising floppy drive, > remount it to his/her pseudo check sums? > > I'm probably missing the howto detail where the alert is generated before > rootkit is installed. > > > > Thanks, > Don > > > > Yes, sorry, I wasn't clear about that. The floppy is mounted RO, plus > > the disk's tab is moved to the RO position. I agree... I > > wouldn't feel > > comfortable or safe if the floppy was just mounted RO. > > > > >> Another way to do this is to install the AIDE package, that performs an > checksum > >> to certain files that you specify in the configuratio by the > way tripwire > do > >> it... It's so easy to install and send you an e-mail notifying > the daily > results > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of individual files?
You remount it, or you umount it and change the read/write tab on the actual floppy? If you just remount as read/write, remember that if a cracker gets root access they can do it just as easily as you could to forge entries on the disc. Ryan On Thu, Mar 29, 2001 at 10:04:30AM -0600, Kenneth Pronovici wrote: > > Of course. I'd have to burn a CDROM or something. But it's something > > I've been meaning to find out about, just in case... > > I have a CD-R drive, but I don't use it for AIDE. Instead, I keep my > (otherwise-unused) floppy drive with an AIDE floppy in it always mounted > as read-only. When I need to update the AIDE database, I re-mount the > floppy as read-write, make the update, then remount it as read-only. > This leaves the CD-R free for other tasks (like backups) but keeps the > AIDE database relatively safe. > > KEN > > -- > Kenneth J. Pronovici <[EMAIL PROTECTED]> > Personal Homepage: http://www.skyjammer.com/~pronovic/ > "The phrase, 'Happy as a clam' has never really held much meaning for me." > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > pgpSNu0PuDqm1.pgp Description: PGP signature
Re: MD5 sums of individual files?
Kenneth Pronovici wrote: > [ ... ]When I need to update the AIDE database, I re-mount the > floppy as read-write, make the update, then remount it as read-only. > This leaves the CD-R free for other tasks (like backups) but keeps the > AIDE database relatively safe. Only in a very loose interpretation of `safe'. If your machine is broken into and the intruder has root access, your database is just as vulnerable as if the disk hadn't been protected in the first place. It would be safer if the floppy was physically write-protected (with the little sliding thing), which is impossible to undo or bypass remotely, AFAIK. Stephen
RE: MD5 sums of individual files?
> Ok with that said, how feasable is it for a cracker to install their > rootkit, and mimic the checksummed files to match the contents of the > floppy? Wouldn't he/she just have to unmount the exising floppy drive, > remount it to his/her pseudo check sums? > > I'm probably missing the howto detail where the alert is generated before > rootkit is installed. That is something that I hadn't considered. The cracker could potentially unmount /var/lib/aide/ro (where I have the floppy containing the AIDE checksums mounted) and place in that directory a newly-generated list of checksums, which AIDE would read the next time it runs. When I got the report in my inbox, it would look like everything is fine. IMHO, definitely a hole that's there regardless of whether I use a RO floppy or a CD-R. I see two ways to get around this: one solution is for me to GPG-sign the AIDE checksum list when I create it. Then I could check the signature in my script that runs AIDE, and I would know that it was me who created it. This would be more like what Tripwire's latest release does. Another option would be to not store the AIDE configuration file anywhere that the cracker could see it. Without that configuration file, the cracker would have no way to generate a valid, substitute list of checksums. This is less workable, because that configuration file would have to be "unhidden" every time AIDE needed to run, making a cron-based schedule more difficult. KEN -- Kenneth J. Pronovici <[EMAIL PROTECTED]> Personal Homepage: http://www.skyjammer.com/~pronovic/ "The phrase, 'Happy as a clam' has never really held much meaning for me." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of individual files?
> Of course. I'd have to burn a CDROM or something. But it's something > I've been meaning to find out about, just in case... I have a CD-R drive, but I don't use it for AIDE. Instead, I keep my (otherwise-unused) floppy drive with an AIDE floppy in it always mounted as read-only. When I need to update the AIDE database, I re-mount the floppy as read-write, make the update, then remount it as read-only. This leaves the CD-R free for other tasks (like backups) but keeps the AIDE database relatively safe. KEN -- Kenneth J. Pronovici <[EMAIL PROTECTED]> Personal Homepage: http://www.skyjammer.com/~pronovic/ "The phrase, 'Happy as a clam' has never really held much meaning for me."
RE: MD5 sums of individual files?
Ok with that said, how feasable is it for a cracker to install their rootkit, and mimic the checksummed files to match the contents of the floppy? Wouldn't he/she just have to unmount the exising floppy drive, remount it to his/her pseudo check sums? I'm probably missing the howto detail where the alert is generated before rootkit is installed. Thanks, Don > Yes, sorry, I wasn't clear about that. The floppy is mounted RO, plus > the disk's tab is moved to the RO position. I agree... I > wouldn't feel > comfortable or safe if the floppy was just mounted RO. > >> Another way to do this is to install the AIDE package, that performs an checksum >> to certain files that you specify in the configuratio by the way tripwire do >> it... It's so easy to install and send you an e-mail notifying the daily results -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of individual files?
> You remount it, or you umount it and change the read/write tab on the > actual floppy? Yes, sorry, I wasn't clear about that. The floppy is mounted RO, plus the disk's tab is moved to the RO position. I agree... I wouldn't feel comfortable or safe if the floppy was just mounted RO. KEN -- Kenneth J. Pronovici <[EMAIL PROTECTED]> Personal Homepage: http://www.skyjammer.com/~pronovic/ "The phrase, 'Happy as a clam' has never really held much meaning for me." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 09:49:38AM +0200, Tom Amm wrote: > > Couldn't make tripwire that job some easier ? not after the fact. though after the fact the only point to verifying binaries is for forensic analysis. a full clean reinstall is required to ensure the system has been cleaned. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpHD1OqJcJfC.pgp Description: PGP signature
Re: MD5 sums of individual files?
You remount it, or you umount it and change the read/write tab on the actual floppy? If you just remount as read/write, remember that if a cracker gets root access they can do it just as easily as you could to forge entries on the disc. Ryan On Thu, Mar 29, 2001 at 10:04:30AM -0600, Kenneth Pronovici wrote: > > Of course. I'd have to burn a CDROM or something. But it's something > > I've been meaning to find out about, just in case... > > I have a CD-R drive, but I don't use it for AIDE. Instead, I keep my > (otherwise-unused) floppy drive with an AIDE floppy in it always mounted > as read-only. When I need to update the AIDE database, I re-mount the > floppy as read-write, make the update, then remount it as read-only. > This leaves the CD-R free for other tasks (like backups) but keeps the > AIDE database relatively safe. > > KEN > > -- > Kenneth J. Pronovici <[EMAIL PROTECTED]> > Personal Homepage: http://www.skyjammer.com/~pronovic/ > "The phrase, 'Happy as a clam' has never really held much meaning for me." > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > PGP signature
Re: MD5 sums of individual files?
Kenneth Pronovici wrote: > [ ... ]When I need to update the AIDE database, I re-mount the > floppy as read-write, make the update, then remount it as read-only. > This leaves the CD-R free for other tasks (like backups) but keeps the > AIDE database relatively safe. Only in a very loose interpretation of `safe'. If your machine is broken into and the intruder has root access, your database is just as vulnerable as if the disk hadn't been protected in the first place. It would be safer if the floppy was physically write-protected (with the little sliding thing), which is impossible to undo or bypass remotely, AFAIK. Stephen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of individual files?
> Of course. I'd have to burn a CDROM or something. But it's something > I've been meaning to find out about, just in case... I have a CD-R drive, but I don't use it for AIDE. Instead, I keep my (otherwise-unused) floppy drive with an AIDE floppy in it always mounted as read-only. When I need to update the AIDE database, I re-mount the floppy as read-write, make the update, then remount it as read-only. This leaves the CD-R free for other tasks (like backups) but keeps the AIDE database relatively safe. KEN -- Kenneth J. Pronovici <[EMAIL PROTECTED]> Personal Homepage: http://www.skyjammer.com/~pronovic/ "The phrase, 'Happy as a clam' has never really held much meaning for me." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: MD5 sums of individual files?
On Thu, Mar 29, 2001 at 09:49:38AM +0200, Tom Amm wrote: > > Couldn't make tripwire that job some easier ? not after the fact. though after the fact the only point to verifying binaries is for forensic analysis. a full clean reinstall is required to ensure the system has been cleaned. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: MD5 sums of individual files?
Olaf Meeuwissen writes: >[EMAIL PROTECTED] (William R. Ward) writes: > >> One way to test if you have been hacked is to run an MD5 checksum of >> key binaries and look to see if it's been replaced by the intruder. >> Is there any place where the MD5 sums of individual executable files >> (not the .deb files, but the /usr/bin/ files that come from them) >> can be obtained? > >The info you're looking for can, for most packages at least, be found >in /var/lib/dpkg/info/*.md5sums. These files have MD5 sums for all >files included in the .deb. > >Note that if you get hacked you can no longer rely on these files (so >put them some place safe *before* you let other folks use or connect >to your machine). Of course, /usr/bin/md5sum is also suspect and can >not be relied upon to tell you the truth. Of course. I'd have to burn a CDROM or something. But it's something I've been meaning to find out about, just in case... -- William R Ward[EMAIL PROTECTED] http://www.bayview.com/~hermit/ - "Those are my principles. If you don't like them I have others."-Groucho Marx
Re: MD5 sums of individual files?
Ethan Benson wrote: On Wed, Mar 28, 2001 at 06:42:37PM -0800, William R. Ward wrote: One way to test if you have been hacked is to run an MD5 checksum of key binaries and look to see if it's been replaced by the intruder. Is there any place where the MD5 sums of individual executable files (not the .deb files, but the /usr/bin/ files that come from them) can be obtained? some/most(?) debian packages come with md5sum lists, they are in /var/lib/dpkg/info/packagname.md5sums. the package debsums can verify them. HOWEVER, since these md5sum lists are on the same disk as the binaries they cannot be trusted for security purposes, since it would be quite easy for an attacker to replace the md5sum lists with ones that match the trojaned binaries. however if you have another debian box you are certain is not compromised you can use its md5sums. but you must boot off a known clean boot disk and NOT root to the compromised disk, there could be kernel modules installed which will hide things. Couldn't make tripwire that job some easier ?
Re: MD5 sums of individual files?
Another way to do this is to install the AIDE package, that performs an checksum to certain files that you specify in the configuratio by the way tripwire do it... It's so easy to install and send you an e-mail notifying the daily results of the check. The database can be 'hard stored' into a floppy disk (with backup copies, of course) write-protected or to a CD-ROM, that makes impossible to alter the database with the checksums information. I recomend it, 'cos it's easy to install and manage and don't require mantainance... On Wed, 28 Mar 2001, Ethan Benson wrote: On Wed, Mar 28, 2001 at 06:42:37PM -0800, William R. Ward wrote: > > One way to test if you have been hacked is to run an MD5 checksum of > key binaries and look to see if it's been replaced by the intruder. > Is there any place where the MD5 sums of individual executable files > (not the .deb files, but the /usr/bin/ files that come from them) > can be obtained? some/most(?) debian packages come with md5sum lists, they are in /var/lib/dpkg/info/packagname.md5sums. the package debsums can verify them. HOWEVER, since these md5sum lists are on the same disk as the binaries they cannot be trusted for security purposes, since it would be quite easy for an attacker to replace the md5sum lists with ones that match the trojaned binaries. however if you have another debian box you are certain is not compromised you can use its md5sums. but you must boot off a known clean boot disk and NOT root to the compromised disk, there could be kernel modules installed which will hide things. -- Ethan Benson http://www.alaska.net/~erbenson/
