A Bug in the NTFS-Layer?

einfacheinewegwerfadresse Thu, 24 Mar 2022 12:38:00 -0700
Situation: I analyzed a HDD with a Windows 10 wich was infected by a
Backdoor.As I wanted to see if ClamAV detects the Malware too and I
wanted to see how long it takes to do the Scan with OpenBSDI attached the
HDD to a OpenBSD-System and got a Kernel panic, TWICE doing so.... I
mounted the NTFS-Partition (to /mnt) and just let ClamAV scan the whole
drive.Since I had to wipe the HDD I can not provide a DD-Image. Since the
wipe was flawless (used the SCHNEIER (7-pass) Method) the HDD is alright.
I also used Vendor-Tools to check the HDD for any Malfunction (SeaTools)
but found none so I assume the issue is in the NTFS-Code in OpenBSD.
System is an PC Engines APU1, 4GB (no dmesg), HDD was attached via USB.
Do not mind the TOR-Process, it was installed after the 1st crash because
I had to test something else and run a second Trial (with the HDD) later
(to let ClamAV scan the Drive on OpenBSD). kernel: protection fault trap,
code=0
Stopped at  ntfs_readattr_plain+0x131:  movl  0x60(%rax),%edx
ddb{1}> ps
 PID TID PPID  UID  S FLAGS  WAIT  COMMAND
 45415  265988  52456  0  3 0x2  biowait perl
 52456  447493 4322  0  3  0x10008a  sigsusp sh
4322  437081  35962  0  3  0x10008a  sigsusp sh
 35962  459242  38655  0  3  0x100090  piperd  cron
*43302  184321  19396  0  7  0x800403  clamscan
 19396  353567  1  0  3  0x10008b  sigsusp ksh
 38655  409127  1  0  3  0x100098  kqread  cron
 85565  274846  1  566  3  0x90  kqread  tor
 39491  404941  1 99  3 0x1100090  kqread  sndiod
 62633  236452  1  110  3  0x100090  kqread  sndiod
 97546  214477  33817 95  3 0x1100092  kqread  smtpd
 20834  408466  33817  103  3 0x1100092  kqread  smtpd
 10786  385614  33817 95  3 0x1100092  kqread  smtpd
 90964 76202  33817 95  3  0x100092  kqread  smtpd
 59751  327464  33817 95  3 0x1100092  kqread  smtpd
 44792  162808  33817 95  3 0x1100092  kqread  smtpd
 33817 92588  1  0  3  0x100080  kqread  smtpd
 25534  190445  1  0  3  0x88  kqread  sshd
 81744  209992  1  0  3  0x100080  kqread  ntpd
 30655  211583  54372 83  3  0x100092  kqread  ntpd
 54372  459931  1 83  3 0x1100092  kqread  ntpd
25018  516458  1 53  3 0x1000090  kqread  unbound
 21697  267844  35848 74  3 0x1100092  bpf pflogd
 35848 81368  1  0  3  0x80  netio pflogd
 96653  410785  66669 73  3 0x1100090  kqread  syslogd
 66669  450929  1  0  3  0x100082  netio syslogd
 56318  318748  1  0  3  0x100080  kqread  resolvd
 96192  386048  64537 77  3  0x100092  kqread  dhcpleased
 36462  200448  64537 77  3  0x100092  kqread  dhcpleased
 64537  264634  1  0  3  0x80  kqread  dhcpleased
 82427  268078  91758  115  3  0x100092  kqread  slaacd
 27797  320182  91758  115  3  0x100092  kqread  slaacd
 91758  346220  1  0  3  0x100080  kqread  slaacd
 35354 84793  0  0  3 0x14200  bored smr
 74931  129718  0  0  3 0x14200  pgzero  zerothread
 83218  357793  0  0  3 0x14200  aiodoned  aiodoned
 23298 95388  0  0  3 0x14200  syncer  update
 71279  420621  0  0  3 0x14200  cleaner cleaner
2921 66629  0  0  3 0x14200  reaper  reaper
 77209  395044  0  0  3 0x14200  pgdaemon  pagedaemon
 43392  394253  0  0  3 0x14200  bored sensors
 88002  368253  0  0  3 0x14200  usbtsk  usbtask
 30426  238822  0  0  3 0x14200  usbatsk usbatsk
 39061  434090  0  0  3  0x40014200  acpi0 acpi0
 63789  355878  0  0  3  0x40014200  idle1
 89634  277095  0  0  3 0x14200  bored softnet
5946 42525  0  0  3 0x14200  bored systqmp
 11144  229937  0  0  3 0x14200  bored systq
 73833  505314  0  0  3  0x40014200  bored softclock
5759  111706  0  0  7  0x40014200  idle0
 1  106210  0  0  3  0x82  wait  init
 0 0 -1  0  3 0x10200  scheduler swapper
ddb{1}> trace
ntfs_readattr_plain(ffff800000da1600,ffff800002a0bb00,80,0,1000,d799,81ca14246f
acdb2a,ffff800002a0bb00,1000) at ntfs_readattr_plain+0x131
ntfs_readattr(ffff800000da1600,ffff800002a0bb00,80,0,1000,d799,cd7915280e96d8b2
,fffffd80632fad30) at ntfs_readattr+0x1bc
ntfs_read(ffff800021f6eb08) at ntfs_read+0x63
VOP_READ(fffffd806629e4f8,ffff800021f6ec68,0,fffffd817e7e4060) at
VOP_READ+0x41vn_read(fffffd80632fad30,ffff800021f6ec68,1) at vn_read+0xa6
dofilereadv(ffff8000ffff6548,9,ffff800021f6ec68,1,ffff800021f6ed30) at
dofilere
adv+0x146
sys_pread(ffff8000ffff6548,ffff800021f6ece0,ffff800021f6ed30) at
sys_pread+0x5csyscall(ffff800021f6eda0) at syscall+0x374
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x7f7ffffbcc80, count: -9
ddb{1}> show register
rdi  0
rsi 0xc9c8  __ALIGN_SIZE+0xb9c8
rbp 0xffff800021f6e9b0
rbx 0xd799  __ALIGN_SIZE+0xc799
rdx 0xfe00000000000000
rcx  0x282
rax 0xdead4110dead4110
r8 0
r9  0xd799  __ALIGN_SIZE+0xc799
r10 0x1000  __ALIGN_SIZE
r11 0x64b4f01def25acfb
r12 0x80
r13 0xffff800002a0bb00
r14 0x1000  __ALIGN_SIZE
r15 0xffff800000da1600
rip 0xffffffff81689041  ntfs_readattr_plain+0x131
cs 0x8
rflags 0x10246  __ALIGN_SIZE+0xf246
rsp 0xffff800021f6e920
ss  0x10
ntfs_readattr_plain+0x131:  movl  0x60(%rax),%edx
ddb{1}>
Kind regards,Sebastian Rother
A Bug in the NTFS-Layer?

Reply via email to
