search

DataSoft / Honeyd

virtual honeypots
GNU General Public License v2.0
348 stars 101 forks source link

honeyd segfaults when connecting #74

Closed nullprobe closed 11 years ago

nullprobe commented 11 years ago

Steps to reproduce :

1) start honeyd 2) hping3 haystack_ip -p dest_port (80 in my case)

This is the gdb output with backtrace : 

Starting program: /usr/bin/honeyd -i eth0 -d --disable-webserver -i lo -f /home/xxxx/.config/nova/config/haystack_honeyd.config -p /usr/share/nova/sharedFiles/nmap-os-db -s /var/log/honeyd/honeydHaystackservice.log -t /var/log/honeyd/ipList -m /usr/share/nova/sharedFiles/nmap-mac-prefixes
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Honeyd V1.6b Copyright (c) 2002-2007 Niels Provos
honeyd[6763]: started with -i eth0 -d --disable-webserver -i lo -f /home/xxxx/.config/nova/config/haystack_honeyd.config -p /usr/share/nova/sharedFiles/nmap-os-db -s /var/log/honeyd/honeydHaystackservice.log -t /var/log/honeyd/ipList -m /usr/share/nova/sharedFiles/nmap-mac-prefixes
honeyd[6763]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:19:99:20:c5:d1
honeyd[6763]: listening on lo: ip
honeyd[6763]: Demoting process privileges to uid 65534, gid 65534
honeyd[6763]: arp reply XXX.XXX.XXX.XXX is-at 00:11:43:fe:e1:cd
honeyd[6763]: Killing unknown connection: tcp (XXX.XXX.XXX.XXX:2989 - XXX.XXX.XXX.XXX:80)

Program received signal SIGSEGV, Segmentation fault.
tcp_personality_match (con=0x66dda0, flags=0) at personality.c:735
735             person = tmpl->person;
(gdb) backtrace
#0  tcp_personality_match (con=0x66dda0, flags=0) at personality.c:735
#1  0x0000000000411e26 in tcp_recv_cb (tmpl=0x1035aa0, iface=0x102c0f0, pkt=<optimized out>, pktlen=40) at honeyd.c:2426
#2  0x0000000000412e4b in honeyd_dispatch (tmpl=0x1035aa0, iface=<optimized out>, ip=0x7ffff5fbd6a4, iplen=<optimized out>) at honeyd.c:3026
#3  0x0000000000413322 in honeyd_delay_cb (fd=<optimized out>, which=<optimized out>, arg=0x7fffffffcf70) at honeyd.c:876
#4  0x000000000040dea7 in honeyd_delay_packet (tmpl=0x1035aa0, iface=<optimized out>, ip=0x7ffff5fbd6a4, iplen=40, src=<optimized out>,
    dst=<optimized out>, ms=0, flags=0, spoof=...) at honeyd.c:944
#5  0x00000000004135d9 in honeyd_input (inter=0x102c0f0, ip=0x7ffff5fbd6a4, iplen=<optimized out>) at honeyd.c:3262
#6  0x0000000000413b8e in honeyd_recv_cb (ag=0x102c0f0 "P\371\002\001", pkthdr=<optimized out>, pkt=0x7ffff5fbd696 "") at honeyd.c:3417
#7  0x00007ffff796544c in ?? () from /usr/lib/x86_64-linux-gnu/libpcap.so.0.8
#8  0x000000000042c48a in interface_recv (fd=<optimized out>, type=<optimized out>, arg=0x102c0f0) at interface.c:556
#9  0x00007ffff7ba394c in event_base_loop () from /usr/lib/libevent-2.0.so.5
#10 0x000000000040c655 in main (argc=<optimized out>, argv=<optimized out>) at honeyd.c:3950
altf4 commented 11 years ago

Thanks for the report, nullprobe. Does this segfault happen reliably for you, or is it intermittent? And under what conditions? Simply any TCP connection to honeyd? I couldn't reproduce it myself at first, but I'm looking into it.

PherricOxide commented 11 years ago

Could you provide the contents of your honeyd configuration file at /home/xxxx/.config/nova/config/haystack_honeyd.config? You can remove the IP addresses if need be and/or you can email it to the Datasoft team directly at nova@datasoft.com if you'd prefer it not be posted publicly.

nullprobe commented 11 years ago

Segfault happens every time I try to hping3 a port on a honeyd instance, even ports that are not "served". Note that this only happens in TCP, honeyd works as intended with UDP connections.

Below the config file you asked for, up until now I have kept the default config except for the static IP's.

create default
set default default tcp action filtered
set default default udp action filtered
set default default icmp action filtered
set default personality "Linux 3.0"
set default droprate in 0

clone CustomNodeProfile-0 default
set CustomNodeProfile-0 default tcp action closed
set CustomNodeProfile-0 default udp action closed
set CustomNodeProfile-0 default icmp action open
add CustomNodeProfile-0 tcp port 22 "bash /usr/share/honeyd/scripts/linux/ssh.sh $ipsrc $sport $ipdst $dport /home/xxxx/.config/nova/config/haystackscripts/0"
add CustomNodeProfile-0 tcp port 23 "perl /usr/share/honeyd/scripts/embedded/router-telnet.pl"
set CustomNodeProfile-0 personality "FreeBSD 8.2-STABLE"
set CustomNodeProfile-0 droprate in 0
set CustomNodeProfile-0 ethernet "00:11:43:7d:de:9f"
bind XXX.XXX.XXX.XXX CustomNodeProfile-0

clone CustomNodeProfile-1 default
set CustomNodeProfile-1 default tcp action closed
set CustomNodeProfile-1 default udp action closed
set CustomNodeProfile-1 default icmp action open
add CustomNodeProfile-1 tcp port 21 "bash /usr/share/honeyd/scripts/linux/ftp.sh $ipsrc $sport $ipdst $dport /home/xxxx/.config/nova/config/haystackscripts/1"
add CustomNodeProfile-1 tcp port 22 "bash /usr/share/honeyd/scripts/linux/ssh.sh $ipsrc $sport $ipdst $dport /home/xxxx/.config/nova/config/haystackscripts/2"
add CustomNodeProfile-1 tcp port 80 "tclsh /usr/share/honeyd/scripts/linux/httpd/httpd.tcl $ipsrc $sport $ipdst $dport /home/xxxx/.config/nova/config/haystackscripts/3"
set CustomNodeProfile-1 personality "Linux 3.0 - 3.1"
set CustomNodeProfile-1 droprate in 0
set CustomNodeProfile-1 ethernet "a4:ba:db:7d:27:5e"
bind XXX.XXX.XXX.XXX CustomNodeProfile-1

clone CustomNodeProfile-2 default
set CustomNodeProfile-2 default tcp action closed
set CustomNodeProfile-2 default udp action closed
set CustomNodeProfile-2 default icmp action open
add CustomNodeProfile-2 tcp port 20 open
add CustomNodeProfile-2 tcp port 21 "sh /usr/share/honeyd/scripts/win32/win2k/msftp.sh"
add CustomNodeProfile-2 tcp port 23 "bash /usr/share/honeyd/scripts/linux/telnetd.sh $ipsrc $sport $ipdst $dport /home/xxxx/.config/nova/config/haystackscripts/4"
add CustomNodeProfile-2 tcp port 80 "bash /usr/share/honeyd/scripts/win32/web.sh"
add CustomNodeProfile-2 tcp port 135 open
add CustomNodeProfile-2 tcp port 137 open
add CustomNodeProfile-2 udp port 135 open
add CustomNodeProfile-2 udp port 137 open
set CustomNodeProfile-2 personality "Microsoft Windows Server 2003 SP1 or SP2"
set CustomNodeProfile-2 droprate in 0
set CustomNodeProfile-2 ethernet "00:18:8b:ba:77:fd"
bind XXX.XXX.XXX.XXX CustomNodeProfile-2
nullprobe commented 11 years ago

Any lead on why this is happening? I can't reliably run Honeyd for the moment. Anything else you want me to test?

PherricOxide commented 11 years ago

We haven't seen anything unusual in that area of the code, and the configuration file you gave us works without any problem for us. Are you sure that's the config file that was used when seeing the segfault? The original post you made showed,

honeyd[6763]: arp reply XXX.XXX.XXX.XXX is-at 00:11:43:fe:e1:cd

But that MAC address isn't in the configuration file you provided.

Out of curiosity, does it segfault with ICMP (a normal ping) as well? Or is it only TCP that has the problem?

PherricOxide commented 11 years ago

Also, are you running hping3 from a separate machine on your network than the one hosting honeyd?

nullprobe commented 11 years ago

honeyd runs with the following command : 

honeyd -i eth0 --disable-webserver -i lo -f /home/xxxx/.config/nova/config/haystack_honeyd.config -p /usr/share/nova/sharedFiles/nmap-os-db -s /var/log/honeyd/honeydHaystackservice.log -t /var/log/honeyd/ipList -m /usr/share/nova/sharedFiles/nmap-mac-prefixes

It does not segfault with ICMP, only with TCP. Hping3 runs on another server in the same subnet, the address right next to the nova machine. They are 2 different physical servers.

nullprobe commented 11 years ago

Built the latest commit and honeyd is up and running again.