1871073 – ss behaviour causing false positives in unhide-tcp

Bug 1871073 - ss behaviour causing false positives in unhide-tcp

Summary: ss behaviour causing false positives in unhide-tcp

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	iproute
Sub Component:
Version:	31
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Phil Sutter
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-08-21 09:34 UTC by David Waring
Modified:	2020-09-23 18:10 UTC (History)
CC List:	3 users (show)
Fixed In Version:	iproute-5.4.0-2.fc31
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-09-23 18:10:02 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description David Waring 2020-08-21 09:34:18 UTC

Description of problem:
A missing newline at the end of the ss command output is causing false positives for hidden ports in unhide-tcp.

Version-Release number of selected component (if applicable):
iproute-5.4.0-1.fc31.x86_64
unhide-20130526-13.fc31.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Make a connection to another host, e.g. ssh
2. Run unhide-tcp
3.

Actual results:
Port is reported as hidden

Expected results:
No hidden port reported

Additional info:
This appears to be because ss is not including a newline character at the end of its output, but is instead extending the last line using spaces to pad to the terminal width and push the prompt onto the next line. This is confusing unhide-tcp which is expecting to see a port number followed by a newline. However the newline is missing, causing unhide-tcp not to recognise that ss could see the port, and thus reporting it as hidden.

Example ss output with terminal prompts:
------------------------------------------------------
[user@myhost ~]$ ss -tan sport = :39322
State      Recv-Q  Send-Q    Local Address:Port      Peer Address:Port Process  
TIME-WAIT  0       0        192.168.105.10:39322   192.168.105.36:2222          [user@myhost ~]$
------------------------------------------------------
It can be seen that the shell prompt appears after the 80th character on the last line and not on the next line. It becomes more apparent when you pipe the output of ss through cat, e.g. ss -tan sport = :39322|cat.

Comment 1 Phil Sutter 2020-08-21 10:21:01 UTC

Hi,

What is unhide-tcp?

Please keep in mind that ss output is meant for humans, not necessary scripts.
Maybe you could use '--diag' option and parse the binary data instead?

Anyway, looks like we're missing the following commit:

commit 9eee92a41ae630b2c9e92ae2875ca56801c96b73
Author: Brian Vazquez <brianvv>
Date:   Wed Dec 4 13:32:28 2019 -0800

    ss: fix end-of-line printing in misc/ss.c

    The previous change to ss to show header broke the printing of
    end-of-line for the last entry.

    Tested:

    diff <(./ss.old -nltp) <(misc/ss -nltp)
    38c38
    < LISTEN   0  128   [::1]:35417  [::]:*  users:(("foo",pid=65254,fd=116))
    \ No newline at end of file

    Signed-off-by: Stephen Hemminger <stephen>

(Yes, Fixes: tags are for the weak and so are SoBs or maintainers insisting on both.)

Comment 2 David Waring 2020-08-21 10:47:49 UTC

unhide-tcp is part of the unhide package and tries to detect hidden TCP and UDP ports, i.e. ports that are open on your system, but that don't show up in tools like ss or netstat. It's used by rkhunter as part of its root kit detection.

Comment 3 Fedora Update System 2020-08-21 16:35:27 UTC

FEDORA-2020-8f69c7534c has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f69c7534c

Comment 4 Fedora Update System 2020-08-22 00:58:10 UTC

FEDORA-2020-8f69c7534c has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8f69c7534c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8f69c7534c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 David Waring 2020-08-24 08:43:44 UTC

Before update, using iproute-5.4.0-1.fc31.x86_64:
> # unhide-tcp
> Unhide-tcp 20130526
> Copyright © 2013 Yago Jesus & Patrick Gouin
> License GPLv3+ : GNU GPL version 3 or later
> http://www.unhide-forensics.info
> Used options: 
> [*]Starting TCP checking
> 
> Found Hidden port that not appears in ss: 34071
> 
> Found Hidden port that not appears in ss: 38683
> 
> Found Hidden port that not appears in ss: 39367
> 
> Found Hidden port that not appears in ss: 40058
> 
> Found Hidden port that not appears in ss: 48855
> 
> Found Hidden port that not appears in ss: 49099
> 
> Found Hidden port that not appears in ss: 51248
> 
> Found Hidden port that not appears in ss: 51440
> 
> Found Hidden port that not appears in ss: 52641
> 
> Found Hidden port that not appears in ss: 53155
> 
> Found Hidden port that not appears in ss: 54655
> 
> Found Hidden port that not appears in ss: 56080
> 
> Found Hidden port that not appears in ss: 56082
> [*]Starting UDP checking

...and after the update to iproute-5.4.0-2.fc31.x86_64:
> # unhide-tcp
> Unhide-tcp 20130526
> Copyright © 2013 Yago Jesus & Patrick Gouin
> License GPLv3+ : GNU GPL version 3 or later
> http://www.unhide-forensics.info
> Used options: 
> [*]Starting TCP checking
> [*]Starting UDP checking


So that now appears to be working as expected, thank you.

Comment 6 Fedora Update System 2020-09-23 18:10:02 UTC

FEDORA-2020-8f69c7534c has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.