How Deleting State Dumps and Core Dumps Works in Linux

What Are State Dumps and Core Dumps?

• State Dumps: Files that capture the state of an application or system at a specific point in time, often including diagnostic information for troubleshooting.
• Core Dumps: Files generated when a program crashes unexpectedly. They contain a snapshot of the program's memory, including:
• Stack traces (call history leading to the crash).
• Memory content (e.g., variables, heap data, or instructions).
• Register states at the time of the crash.

These files are typically stored in directories like /var/core/, /var/crash/, or custom paths defined by the application (/data/var/statedumps/ in the example).

How Do Commands Like rm -rf Work?

The commands rm -rf /data/var/statedumps/* and rm -rf /data/var/cores/* recursively and forcefully remove files within the specified directories: 1. Recursive Deletion (-r): Deletes all files and subdirectories within the target directory. 2. Force Option (-f): Ignores warnings, such as permission errors or non-existent files, ensuring deletion proceeds without interruption. 3. Wildcard (*): Matches all files and directories within the target path.

For example: - rm -rf /data/var/statedumps/*: Deletes all state dump files. - rm -rf /data/var/cores/*: Deletes all core dump files.

These commands execute quickly and leave no easily accessible trace of the deleted files unless backups or shadow copies exist.

How It Can Be Abused

Attackers use this technique to eliminate critical forensic artifacts that could expose their activities. Here's how:

1. Erasing Evidence of Exploitation:
2. Core dumps may reveal traces of memory-resident payloads, such as:
   • Shellcode injected during an exploit.
   • Malicious commands or operations that caused the crash.

3. By deleting core dumps, attackers hide the exact steps or tools used in their exploitation process.

4. Hindering Reverse Engineering:

5. Analysts often use core dumps to reconstruct the sequence of events leading to a crash or failure. For example:
   • Determining the input that triggered a vulnerability.
   • Identifying malicious functions or code injected into memory.

6. Without core dumps, it becomes harder to analyze the exploit or payload.

7. Concealing Persistence Mechanisms:

8. Core dumps might contain information about how malicious code interacts with the system, such as:
   • Environment variables.
   • Loaded libraries or modules.

9. Deleting these files prevents investigators from identifying potential persistence mechanisms.

10. Disrupting Incident Response:

11. State dumps and core dumps provide real-time insights into what went wrong. Deleting them forces responders to rely on less detailed logs or indirect evidence, prolonging the investigation and increasing the chance of missing critical details.