**Yuki the Maven** @yuki_the_maven · 2017-11-29T23:52:08Z

Yuki the Maven @yuki_the_maven

is there *any* good reason for a .so to have a different md5sum on different boxes, under the assumption that it's been installed from the same rpm/repo?

I suspect malware, but am I missing something else obvious before jumping to conclusions? #security #rpm #hash
(pic: kizumonogatari)

Nov 29, 2017, 23:52 · Web · 1 · 0

**(⚗️ pnathan)** @pnathan@imaginair.es · Nov 29, 2017, 23:53

**(⚗️ pnathan)** @pnathan@imaginair.es · Nov 29, 2017, 23:53

@yuki_the_maven different versions.

0 length files due to weirdnesses

bad package.

**Yuki the Maven** @yuki_the_maven · Nov 29, 2017, 23:55

**Yuki the Maven** @yuki_the_maven · Nov 29, 2017, 23:55

@pnathan @k sorry by same rpm I meant same versions too. I don't think 0len as there is some other software using that .so and working correctly *for some time*

**(⚗️ pnathan)** @pnathan@imaginair.es · Nov 30, 2017, 01:06

**(⚗️ pnathan)** @pnathan@imaginair.es · Nov 30, 2017, 01:06

@yuki_the_maven @k

how strange. can you do an objdump on the different .so ?

**Yuki the Maven** @yuki_the_maven · Nov 30, 2017, 01:07

**Yuki the Maven** @yuki_the_maven · Nov 30, 2017, 01:07

@pnathan won't be able until next monday but that's totally in my list of next steps

**(⚗️ pnathan)** @pnathan@imaginair.es · Nov 30, 2017, 01:13

**(⚗️ pnathan)** @pnathan@imaginair.es · Nov 30, 2017, 01:13

@yuki_the_maven please let me know what you find. I'm curious.

**Yuki the Maven** @yuki_the_maven · Nov 30, 2017, 01:13

**Yuki the Maven** @yuki_the_maven · Nov 30, 2017, 01:13

@pnathan will do

**Yuki the Maven** @yuki_the_maven · Dec 05, 2017, 02:05

**Yuki the Maven** @yuki_the_maven · Dec 05, 2017, 02:05

@pnathan like @RAOF pointed out it seems to be prelinking. could not confirm in production as we had a connectivity outage (happy monday!) but it's enabled in every other environment so I'll just go with it

**(⚗️ pnathan)** @pnathan@imaginair.es · Dec 05, 2017, 16:28

**(⚗️ pnathan)** @pnathan@imaginair.es · Dec 05, 2017, 16:28

@yuki_the_maven @RAOF Prelinking?

how would that change a file size? now I'm curious...

**Kae** @k · Nov 29, 2017, 23:54

**Kae** @k · Nov 29, 2017, 23:54

@yuki_the_maven if you're positive they're the same version, then I can't think of any reason

**🔥RAOF🔥** @RAOF@glitch.social · Nov 30, 2017, 00:01

**🔥RAOF🔥** @RAOF@glitch.social · Nov 30, 2017, 00:01

@yuki_the_maven The only thing that comes to mind is prelinking? That modifies the binaries in-place, so hash-based verification can fail.

https://en.wikipedia.org/wiki/Prelink

**🔥RAOF🔥** @RAOF@glitch.social · Nov 30, 2017, 00:02

**🔥RAOF🔥** @RAOF@glitch.social · Nov 30, 2017, 00:02

@yuki_the_maven *Particularly* if you're using randomised prelink, which is almost certainly the default (if you've got it enabled) as it makes return-to-libc attacks harder.

**Yuki the Maven** @yuki_the_maven · Nov 30, 2017, 00:03

**Yuki the Maven** @yuki_the_maven · Nov 30, 2017, 00:03

@RAOF ooooooohhh I see! thanks for the pointer I had no idea this was a thing