Leveraging Relocations in ELF-binaries for Linux Kernel Version Identification

Bhatt, Manish

20 December 2018

In this paper, we present a working research prototype codeid-elf for ELF binaries based on its Windows counterpart codeid, which can identify kernels through relocation entries extracted from the binaries. We show that relocation-based signatures are unique and distinct and thus, can be used to accurately determine Linux kernel versions and derandomize the base address of the kernel in memory (when kernel Address Space Layout Randomization is enabled). We evaluate the effectiveness of codeid-elf on a subset of Linux kernels and find that the relocations in kernel code have nearly 100\% code coverage and low similarity (uniqueness) across various kernels. Finally, we show that codeid-elf, which leverages relocations in kernel code, can detect all kernel versions in the test set with almost 100% page hit rate and nearly zero false negatives.

Information Security

Content Management Systems and MD5: Investigating Alternative Methods of Version Identification for Open Source Projects

Trusz, Jakob

January 2017

WordPress is a very widely used content management system that enables users to easier create websites. The popularity of WordPress has made it a prime target for attacks by hackers since a potential vulnerability would affect many targets. Vulnerabilities that can be utilised in an attack are referred to as exploits. Most exploits are only viable for a subset of all the version of the software that they target. The knowledge of which version of a content managements system a website is running is often not explicit or easy to determine. Attackers can potentially exploit a vulnerable website faster if the version is known, since this allows them to search for existing vulnerabilities and exploits, instead of trying to identify a new vulnerability. The purpose of this thesis is to investigate existing and alternate methods for detecting the version of WordPress on websites that are powered by it. The scope is limited to an analysis of existing tools and the suggested methods for version identification are limited to identification using unique values that are calculated from the contents of files. The suggested methods for version identification and the generation of the required data is implemented using Python 3, the programming language. We investigate the feasibility of version obfuscation, how discernible a version of WordPress is, and how to compare versions of WordPress. The thesis has proven the feasibility of version identification with a new perspective that delivers more accurate results than previous methods. Version obfuscation has also been proven to be very feasible without affecting the usability of the WordPress website. Furthermore, a method for discerning between two specific versions of WordPress is presented. All the results are in theory applicable to other software projects that are hosted and developed in the same way. This new area of research has much for security professionals and has room for future improvement.

Content Management Systems

Version Identification

Obfuscation

Elektroteknik och elektronik