chkrootkit (part #4)

In chkrootkit

#define MAX_ID 99999

int main(int argc, char*argv[]) {
        int             fh_wtmp;
        int             fh_lastlog;
        struct lastlog  lastlog_ent;
        struct utmp     utmp_ent;
        long            userid[MAX_ID];

...

        for (i=0; i<MAX_ID; i++)
                userid[i]=FALSE;

...

                if (*uid > MAX_ID)
                {
                   fprintf(stderr, "MAX_ID is %ld and current uid is %ld, please check\n\r", (long int)MAX_ID, (long int)*uid );
                   exit (1);

                }

uid gets set by getpwnam(). On modern systems, it can be 32bits. Much higher than MAX_ID of 99999. If your backdoored account has a high uid, it won't be detected in lastlog/wtmp rootkit detection.

This is not unusually bad of chkrootkit. It's just old code that hasn't been maintained.

Comments

Popular posts from this blog

Heap Exploitation in Chrome's PartitionAlloc - part 1

Pointer Compression in V8

Linux Kernel Stack Smashing