Bug 73372 - Chkrootkit reports "ls" and "du" as infected, when coreutils is built with the "static" use-flag.
Bug#: 73372 Product:  Gentoo Linux Version: unspecified Platform: x86
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: forensics@gentoo.org Reported By: mikkel@krautz.dk
Component: Applications
URL: 
Summary: Chkrootkit reports "ls" and "du" as infected, when coreutils is built with the "static" use-flag.
Keywords:  
Status Whiteboard: 
Opened: 2004-12-04 12:41 0000
Description:   Opened: 2004-12-04 12:41 0000 
When coreutils is built with the "static" use-flag, chkrootkit apparently
detects the binaries "/bin/du", and "/bin/ls" as "infected".

Reproducible: Always
Steps to Reproduce:
1. USE="static" emerge coreutils
2. chkrootkit ls du
3. ...
4. Profit!

Actual Results:  
# chkrootkit du ls
ROOTDIR is `/'
Checking `du'... INFECTED
Checking `ls'... INFECTED

Expected Results:  
# chkrootkit du ls
ROOTDIR is `/'
Checking `du'... not infected
Checking `ls'... not infected


Portage 2.0.51-r3 (default-linux/x86/2004.3, gcc-3.4.3,
glibc-2.3.4.20041102-r0,
2.6.8.1-ck9 i686)
=================================================================
System uname: 2.6.8.1-ck9 i686 AMD Duron(tm)
Gentoo Base System version 1.6.6
distcc 2.18 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[disabled]
Autoconf: sys-devel/autoconf-2.59-r5
Automake: sys-devel/automake-1.8.5-r1
Binutils: sys-devel/binutils-2.15.92.0.2-r1
Headers:  sys-kernel/linux26-headers-2.6.8.1-r1
Libtools: sys-devel/libtool-1.5.2-r7
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CFLAGS="-Os -march=athlon-xp -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
COMPILER=""
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config
/usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown
/usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config
/var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-Os -march=athlon-xp -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms"
GENTOO_MIRRORS="http://gentoo.osuosl.org
http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow X aalib acpi alsa apache2 apm avi berkdb bitmap-fonts cdr chroot
crypt cups dedicated directfb dvd encode esd f77 fam fbcon foomaticdb fortran
freetype gd gdbm gif glx gnome gpm gstreamer gtk gtk2 imagemagick imlib ipv6
java jpeg kde libg++ libgd libncurses libwww libxml mad mikmod mmx motif
mozilla
mpeg mysql ncurses nls nptl oggvorbis opengl openldap oss pam pdflib perl php
png ppds python qt quicktime readline rplay samba sdl sftplogging skey slang
spell sse ssl svg svga tcpd tiff truetype usb v4l2 x86 xft xinerama xml xml2
xmms xtt xv yuv zlib"

------- Comment #1 From Owen Jacob 2004-12-04 12:49:04 0000 ------- 
Same Here.

Portage 2.0.51-r3 (default-linux/x86/2004.3, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.6.9-nitro4 i686)
=================================================================
System uname: 2.6.9-nitro4 i686 VIA Nehemiah
Gentoo Base System version 1.4.16
Autoconf: sys-devel/autoconf-2.59-r5
Automake: sys-devel/automake-1.8.5-r1
Binutils: sys-devel/binutils-2.15.90.0.1.1-r3
Headers:  sys-kernel/linux26-headers-2.6.8.1
Libtools: sys-devel/libtool-1.5.2-r7
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-march=i686 -msse -mmmx -mfpmath=sse -Os -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
COMPILER=""
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=i686 -msse -mmmx -mfpmath=sse -Os -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms"
GENTOO_MIRRORS="ftp://ftp.heanet.ie/pub/gentoo/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow X alsa apm arts avi bitmap-fonts cdparanoia cdr crypt cups dvd dvdr encode f77 fam flac flash foomaticdb fortran gdbm gif gphoto2 gpm gtk2 imagemagick imlib java jpeg kde libg++ libwww mad mikmod mmx mozilla mpeg msn ncurses nlsnptl nptlonly oggvorbis opengl pam pdflib perl pic png ppds python qt quicktimereadline sdl spell sse ssl svga tcpd threads tiff truetype usb userlocales wmf x86 xine xml2 xv zlib linguas_en_GB"

------- Comment #2 From Aaron Walker (RETIRED) 2005-01-18 09:33:43 0000 ------- 
I'm not going to be able to attempt to reproduce this until bug 51328 is fixed.
 Although that's a different package, vapier says its the same bug that is
causing coreutils to fail when USE=static.

Daniel, maybe you'll have more luck on a different arch or something?

------- Comment #3 From Daniel Black 2005-01-23 04:41:57 0000 ------- 
Doing the chkrootkit tests:
$ strings -a `which du` | egrep "/dev/ttyof|/dev/pty[pqrsx]|w0rm|/prof|/dev/tux|file\.h"
/var/profile

$ strings -a `which ls` | egrep "/dev/ttyof|/dev/pty[pqrs]|/dev/hdl0|\.tmp/lsfile|/dev/hdcc|/dev/ptyxx|duarawkz|/prof|/dev/tux|/security|file\.h"
/var/profile

This happens because:
$ strings /usr/lib/libc.a | fgrep /var/profile
/var/profile

Looking at glibc source code:
fgrep -r -A 3 -B 3 /var/profile .
./glibc-2.3.3/ChangeLog.12-2001-01-08  Ulrich Drepper  <drepper@redhat.com>
./glibc-2.3.3/ChangeLog.12-
./glibc-2.3.3/ChangeLog.12-     * elf/rtld.c (process_envvars): Place output files for profiling
./glibc-2.3.3/ChangeLog.12:     in SUID binaries in /var/profile.
./glibc-2.3.3/ChangeLog.12-
./glibc-2.3.3/ChangeLog.12-     * elf/dl-load.c (_dl_map_object): Don't look in cache for
./glibc-2.3.3/ChangeLog.12-     preloading in SUID binaries.
--
./glibc-2.3.3/elf/dl-support.c-  _dl_profile_output = getenv ("LD_PROFILE_OUTPUT");
./glibc-2.3.3/elf/dl-support.c-  if (_dl_profile_output == NULL || _dl_profile_output[0] == '\0')
./glibc-2.3.3/elf/dl-support.c-    _dl_profile_output
./glibc-2.3.3/elf/dl-support.c:      = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0];
./glibc-2.3.3/elf/dl-support.c-
./glibc-2.3.3/elf/dl-support.c-  if (__libc_enable_secure)
./glibc-2.3.3/elf/dl-support.c-    {
--
./glibc-2.3.3/elf/rtld.c-
./glibc-2.3.3/elf/rtld.c-  /* This is the default place for profiling data file.  */
./glibc-2.3.3/elf/rtld.c-  GLRO(dl_profile_output)
./glibc-2.3.3/elf/rtld.c:    = &"/var/tmp\0/var/profile"[INTUSE(__libc_enable_secure) ? 9 : 0];
./glibc-2.3.3/elf/rtld.c-
./glibc-2.3.3/elf/rtld.c-  /* Extra security for SUID binaries.  Remove all dangerous environment
./glibc-2.3.3/elf/rtld.c-     variables.  */


The solution:

I looked around looking for what chkrootkit uses /prof as a pattern that should be searched however I couldn't find anything. If I found something I could of changed the pattern search so it maybe didn't find /var/profile.

The other option it to remove /prof pattern from the chkrootkit however this leave a vunerablility.
(sed -i -e 's:|/prof::g' /usr/sbin/chkrootkit)

If you could email the chkrootkit author to what /prof matching then we could develop a pattern that wouldn't generate false positives.

------- Comment #4 From Daniel Black 2005-01-23 06:39:44 0000 ------- 
fixed thanks to the author Nelson Murilo <nelson@pangeia.com.br>