chkrootkit (part #4)

In chkrootkit

#define MAX_ID 99999

int main(int argc, char*argv[]) {
        int             fh_wtmp;
        int             fh_lastlog;
        struct lastlog  lastlog_ent;
        struct utmp     utmp_ent;
        long            userid[MAX_ID];

...

        for (i=0; i<MAX_ID; i++)
                userid[i]=FALSE;

...

                if (*uid > MAX_ID)
                {
                   fprintf(stderr, "MAX_ID is %ld and current uid is %ld, please check\n\r", (long int)MAX_ID, (long int)*uid );
                   exit (1);

                }

uid gets set by getpwnam(). On modern systems, it can be 32bits. Much higher than MAX_ID of 99999. If your backdoored account has a high uid, it won't be detected in lastlog/wtmp rootkit detection.

This is not unusually bad of chkrootkit. It's just old code that hasn't been maintained.

Comments

Popular posts from this blog

NetBSD kernel wscons IOCTL vulnerable bug class

InfoSect's Month of Pointless Bugs (#1, #2)

InfoSect's Month of Pointless Bugs (#3)