ManTrap Root Directory Inode Disclosure Vulnerability
BID:1909
Info
ManTrap Root Directory Inode Disclosure Vulnerability
| Bugtraq ID: | 1909 |
| Class: | Design Error |
| CVE: | |
| Remote: | No |
| Local: | No |
| Published: | Nov 01 2000 12:00AM |
| Updated: | Nov 01 2000 12:00AM |
| Credit: | First published in a Fate Labs advisory on November 1, 2000. |
| Vulnerable: |
Recourse Technologies ManTrap 1.6.1 |
| Not Vulnerable: |
Recourse Technologies ManTrap 2.0 |
Discussion
ManTrap Root Directory Inode Disclosure Vulnerability
ManTrap is a "honeypot" intrusion detection system designed to lure attackers into it for analysis. The honeypot is implemented as a chroot'ed Solaris environment, designed to look and feel real to an attacker who gains access to it.
Chroot (change root) is a unix mechanism that allows an administrator to force a process/process group to run under a subset of the file system, denying access to any other parts of the file system. It is possible for an attacker to guess that they are on a chrooted() ManTrap system by looking at the inode of the root directory (ls -id /). If it is high (usually within the 100000-200000 range), then the root directory is a chrooted() subset of a larger filesystem.
This vulnerability, combined with hidden process disclosure (bugtraq ID 1908) should fairly accurately verify to an attaacker (without root privs) that the host is a ManTrap honeypot, defeating its purpose.
ManTrap is a "honeypot" intrusion detection system designed to lure attackers into it for analysis. The honeypot is implemented as a chroot'ed Solaris environment, designed to look and feel real to an attacker who gains access to it.
Chroot (change root) is a unix mechanism that allows an administrator to force a process/process group to run under a subset of the file system, denying access to any other parts of the file system. It is possible for an attacker to guess that they are on a chrooted() ManTrap system by looking at the inode of the root directory (ls -id /). If it is high (usually within the 100000-200000 range), then the root directory is a chrooted() subset of a larger filesystem.
This vulnerability, combined with hidden process disclosure (bugtraq ID 1908) should fairly accurately verify to an attaacker (without root privs) that the host is a ManTrap honeypot, defeating its purpose.
Exploit / POC
ManTrap Root Directory Inode Disclosure Vulnerability
Exploit available:
Exploit available:
Solution / Fix
ManTrap Root Directory Inode Disclosure Vulnerability
Solution:
This signature has been fixed in ManTrap v2.0 with the most recent patch set. Please contact Recourse Technologies for information on how to obtain v2.0 and/or the current patch set. Contact information can be found at www.recourse.com.
Solution:
This signature has been fixed in ManTrap v2.0 with the most recent patch set. Please contact Recourse Technologies for information on how to obtain v2.0 and/or the current patch set. Contact information can be found at www.recourse.com.
References
ManTrap Root Directory Inode Disclosure Vulnerability
References:
References: