• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 448
  • Last Modified:

tripwire bypass

What would a hacker have to do to bypass tripwire?
To what effect do the recent vulnerabilities of MD5 have on the security of tripwire?
This is from an educational point of view of course.
  • 2
4 Solutions
replace a file with his/her own one which has the same md5 checksum
recent found md5 weakness makes finding equal hashes simpler
Simpler, but still not simple. Plus Tripwire does both MD5 and SHA-1 by default, which makes the problem damn near impoissible.

An easier way to attack the problem is to subvert the Tripwire database (if stored locally).
.. or replace modules in the running kernel
.. or use own modules in kernel
.. or use a program in memory
Well, none is really a vulnerability of TripWire, but it bypasses TripWire, at least as long as there is no reboot
The attacker would need access to the box while it is in a vulnerable state, prior to it being secured. So servers should be built in a clean environment before being given public access.

Once secure it is hard, however, if a managment server is used, the attacker would most likely target that instead so similar measures are needed on the managment/log collector, the reason is that if the first box is breached, the changes are recorded and logs sent to managment, therefor if management is not secure, you cannot trust that those logs have not been interfed with.

most people forget the mangment/log collectors.

If implemented correctly, it is very difficult, specially if logs are sent to another device and those logs are secured.

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now