| Titre | Taking advantage of rkhunter logs to be able to bypass. |
|---|
| Description | We managed to take advantage of rkhunter's own logs to do a bypass, it shows the signatures, the strings it looks for, and saves all this in the log file "/var/log/rkhunter.log", so you just have read permissions on the file "/var/log/rkhunter.log" and it will know exactly all the strings, signatures, everything it looks for in directories, files, etc, in order to be able to detect if there is any rootkit/malware in your machine.
And with that we can take advantage of that, to be able to modify our malware/rootkit and successfully bypass rkhunter, because we know exactly what kind of signatures, strings, etc. it looks for.
This is a very common technique for bypassing signature-based security protections.
Well, in summary, this type of "vulnerability/misconfig/bypass" is only possible because rkhunter saves the logs in "/var/log/rkhunter.log", so far so good, however, it shows the strings, directories, signatures, etc., is what makes it possible to bypass.
Thinking about a real scenario, an attacker can download rkhunter on his own machine, being able to view the logs and know everything that rkhunter looks for to detect a malware/rootkit, and through this, with the attacker knowing where rkhunter can "detect" " the rootkit, the attacker will be able to modify the strings, exact functions of your rootkit/malware to use it in a real environment."
A possible correction or patch would be not to show all the signatures, directories and strings that it is looking for, but rather just alerting whether or not there is any malware/rootkit on the machine where rkhunter is running and saving this both in a log file and print on screen.
|
|---|
| La source | ⚠️ https://gist.github.com/MatheuZSecurity/16ef0219db8f85f49f945a25d5eb42d7 |
|---|
| Utilisateur | mtzsec (UID 52162) |
|---|
| Soumission | 05/08/2023 22:54 (il y a 3 ans) |
|---|
| Modérer | 18/08/2023 10:11 (12 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 237516 [rkhunter Rootkit Hunter 1.4.4/1.4.6 /var/log/rkhunter.log divulgation d'information] |
|---|
| Points | 20 |
|---|