ManTrap Root Directory Inode Disclosure Vulnerability

ManTrap is a "honeypot" intrusion detection system designed to lure attackers into it for analysis. The honeypot is implemented as a chroot'ed Solaris environment, designed to look and feel real to an attacker who gains access to it.

Chroot (change root) is a unix mechanism that allows an administrator to force a process/process group to run under a subset of the file system, denying access to any other parts of the file system. It is possible for an attacker to guess that they are on a chrooted() ManTrap system by looking at the inode of the root directory (ls -id /). If it is high (usually within the 100000-200000 range), then the root directory is a chrooted() subset of a larger filesystem.

This vulnerability, combined with hidden process disclosure (bugtraq ID 1908) should fairly accurately verify to an attaacker (without root privs) that the host is a ManTrap honeypot, defeating its purpose.


Privacy Statement
Copyright 2010, SecurityFocus