ManTrap Hidden Process Disclosure Vulnerability
BID:1908
Info
ManTrap Hidden Process Disclosure Vulnerability
| Bugtraq ID: | 1908 |
| Class: | Design Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Nov 01 2000 12:00AM |
| Updated: | Nov 01 2000 12:00AM |
| Credit: | Discovered by Fate Labs and published in an advisory on Nov 1, 2000. |
| Vulnerable: |
Recourse Technologies ManTrap 1.6.1 |
| Not Vulnerable: |
Recourse Technologies ManTrap 2.0 |
Discussion
ManTrap Hidden Process Disclosure Vulnerability
ManTrap is a "honeypot" intrusion detection system designed to lure attackers into it for analysis. The honeypot is implemented as a chroot'ed Solaris environment, designed to look and feel real to an attacker who gains access to it. To ensure that the "lured" hacker doesn't realize that they are on a ManTrap host, certain processes must be hidden. One of the ways this is accomplished in ManTrap is through kernel modules that prevent /proc entries from being created for these processes. Unfortunately this is trivial to bypass through comparing process information retrieved directly from kernel memory to the contents of /proc.
The kill() system call does not read from /proc. A hacker may, for example, write a program to send SIGCONT (or another signal usually ignored) to incrementing process ID's verifying valid PIDs (that dont belong to them) by the errno value generated by kill() (EEPERM). The valid PIDs that are not in /proc would be the 'hidden' processes.
ManTrap is a "honeypot" intrusion detection system designed to lure attackers into it for analysis. The honeypot is implemented as a chroot'ed Solaris environment, designed to look and feel real to an attacker who gains access to it. To ensure that the "lured" hacker doesn't realize that they are on a ManTrap host, certain processes must be hidden. One of the ways this is accomplished in ManTrap is through kernel modules that prevent /proc entries from being created for these processes. Unfortunately this is trivial to bypass through comparing process information retrieved directly from kernel memory to the contents of /proc.
The kill() system call does not read from /proc. A hacker may, for example, write a program to send SIGCONT (or another signal usually ignored) to incrementing process ID's verifying valid PIDs (that dont belong to them) by the errno value generated by kill() (EEPERM). The valid PIDs that are not in /proc would be the 'hidden' processes.
Exploit / POC
ManTrap Hidden Process Disclosure Vulnerability
Exploit available:
Exploit available:
Solution / Fix
ManTrap Hidden Process Disclosure Vulnerability
Solution:
This signature has been fixed in ManTrap v2.0 with the most recent patch set. Please contact Recourse Technologies for information on how to obtain v2.0 and/or the current patch set. Contact information can be found at www.recourse.com.
Solution:
This signature has been fixed in ManTrap v2.0 with the most recent patch set. Please contact Recourse Technologies for information on how to obtain v2.0 and/or the current patch set. Contact information can be found at www.recourse.com.
References
ManTrap Hidden Process Disclosure Vulnerability
References:
References: