Opened 9 years ago

Closed 9 years ago

Last modified 7 years ago

#2341 closed defect (not a bug)

Shellcode

Reported by: cypherpunks Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version: Tor: 0.2.1.26
Severity: Keywords: tor-relay
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Hi,
I am running a new Tor router and also use Snort. I detect some SHELLCODE x86 setuid 0. Since it is connected to buffer-overflows, none known positives/negatives false alarm, and possibility for the current process to inherent root privileges on Solaris, Unix X86 and Linux X86 I wonder if it’s a real part of an attack or known false detection, i.e. something in the Tor protocol/binary data? Tor Wiki gives no information about problems with using Snort.

Child Tickets

Attachments (1)

SyslogCatchAll Shellcode.txt (7.8 KB) - added by cypherpunks 9 years ago.

Download all attachments as: .zip

Change History (4)

Changed 9 years ago by cypherpunks

comment:1 Changed 9 years ago by nickm

Resolution: not a bug
Status: newclosed
Type: taskdefect

Well, this is more of a snort question than a Tor question. The sequences that snort is checking for here are sequences that would be interpreted as "Setuid 0" if they were run in a binary. Some of them are very short , so you shouldn't be surprised to see them occur randomly in binary data. A quick search for "shellcode x86 setuid 0" should turn up some more information here.

(And whoever said that "shellcode x86 setuid 0" has no known false positives, no known false negatives, or no known false alarms is IMO quite mistaken. If I'm reading the documentation right, it's just a 4-byte sequence that you'd expect to occur by chance in encrypted data once every GB or so -- so that would be create both positives and false alarms. It's pretty trivial to write obfuscated exploits, so false negatives are also expected.)

Here are some links I found useful:

http://seclists.org/ids/2000/Jun/36 (explains both why you should expect false positives and false negatives)


comment:2 Changed 7 years ago by nickm

Keywords: tor-relay added

comment:3 Changed 7 years ago by nickm

Component: Tor RelayTor
Note: See TracTickets for help on using tickets.