Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Honeypots: Re: honeyd on Solaris 9

Re: honeyd on Solaris 9

From: Tobias Hahn <tobi_wan_at_gmx.de>
Date: Thu, 07 Jul 2005 09:33:31 +0200

Hi,

I think I found the reason why honeyd won't start: I used "truss
honeyd..." (truss is like strace for Solaris) and it showed me that an
EACCES error occurs when the child process tries to access the /dev/poll
file descriptor which it inherited from its parent. Error message:

PID
8682: open("/dev/poll", O_RDWR) = 3
...
8683: pwrite(3, 0x000D89F0, 16, 0) Err#13 EACCES
8683: \0\0\00F\001\0\0\0\0\005\001\0\0
8683: ioctl(3, DP_POLL, 0xFFBFF548) Err#13 EACCES
...
8683: i o c t l : D P _ P O L L : P e r m i s s i o n d e n i e
8683: d
8683: write(2, "\n", 1) = 1
8683: _exit(0)
8682: _exit(0)

Searching for a solution to this problem I found this (from
http://sundocs.princeton.edu:8888/ab2/coll.40.6/REFMAN7/@Ab2PageView/57113):

But the child process will have very limited access through this
inherited /dev/poll file descriptor. Any attempt to write or do ioctl by
the child process will result in an EACCES error.

Has anybody here ever got honeyd to work on a solaris machine?

Tobias

gangadhar npk schrieb:

>Just a thought.
>To confirm that libdnet might be causing problem, can you please try with writing a simple test case using libdnet which does an intf_open() on any of the interfaces.
>I don't have access to a solaris box currently, but I will also try it. Do share your results.
>Best regards
>Gangadhar
>
>-----Original Message-----
>From: Tobias Hahn <tobi_wan_at_gmx.de>
>To: honeypots_at_securityfocus.com
>Date: Fri, 01 Jul 2005 08:28:33 +0200
>Subject: honeyd on Solaris 9
>
>Hi,
>
>I started debugging honeyd wit gdb and I think I found at least one
>reason why it's not working like I want it to. I compared the Solaris
>debugging output with the Suse 9.2 debugging output and this is what I got:
>
>===SuseLinux9.2=========>>>>=========================
>3106 interface_initialize(honeyd_recv_cb);
>(gdb) step
>interface_initialize (cb=0x81a64c0) at interface.c:83
>83 TAILQ_INIT(&interfaces);
>(gdb)
>85 if ((intf = intf_open()) == NULL)
>(gdb)
>intf_open () at intf.c:123
>123 if ((intf = calloc(1, sizeof(*intf))) != NULL) {
>(gdb)
>124 intf->fd = intf->fd6 = -1;
>(gdb)
>126 if ((intf->fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
>(gdb)
>137 return (intf);
>========================<<<<=========================
>
>
>
>===Solaris9=============>>>>=========================
>3109 interface_initialize(honeyd_recv_cb);
>(gdb)
>interface_initialize (cb=0x1ef8c <honeyd_recv_cb>) at interface.c:83
>83 TAILQ_INIT(&interfaces);
>(gdb)
>85 if ((intf = intf_open()) == NULL)
>(gdb)
>86 err(1, "intf_open");
>(gdb)
>85 if ((intf = intf_open()) == NULL)
>(gdb)
>88 if_recv_cb = cb;
>(gdb)
>========================<<<<=========================
>
>It seems to me that on Solaris there is a problem with opening the
>interface. intf_open() belongs to intf.c, which is one of the libdnet
>files.
>
>honeyd always ends just after
>
>3205:fprintf(stderr, "Honeyd starting as background process\n");
>3206: if (daemon(1, 0) < 0) {
>3207: unlink(PIDFILE);
>3208: err(1, "daemon");
>3209: }
>
>line 3206 is the last one the gdb shows.
>
>I would really appreciate if somebody could help me with any of this.
>
>Thanks in advance,
> Tobias
>
>
>
>
>
>
>
>
>
>
Received on Jul 07 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]