On Mon, 11 Oct 2004 12:23:57 +0800 (PHT), ed <[EMAIL PROTECTED]> wrote: > > > > Paolo Alexis Falcone wrote: > > > >>Fortunately though you'd not encounter this if you're using a 2.6 > >>kernel. This is what you'll see on a 2.6 kernel: > >> > > > > that's a relief. we're concern about this exploit on the linux > > workstations > > we're going to deploy next month. buti na lang 2.6 din yun kernel ng mga > > yun. > > > > > > Had time fiddling this morning. Looking into the kernel sources you can > see this snip in linux/mm/mmap.c > if ((prot & PROT_EXEC) && > (file->f_vfsmnt->mnt_flags & MNT_NOEXEC)) > return -EPERM; > but as pointed out with discussions(forgot where) early 2004 it can still > be bypassed using custom binaries with the execute flags removed from the > segments. > > The kernel checks for executable segments in the binary and then if it > doesn't find them, PROT_EXEC doesn't get declared; voila the above snip is > circumvented by these special binaries. Unfortunately circumvention works > on 2.6 kernels. > > (on 2.6.9-rc3 on /tmp with noexec flags) > > [EMAIL PROTECTED] tmp $ ls -la *hello > -rwxr-xr-x 1 xedx users 6965 Oct 11 12:00 ordinaryhello > -rwxr-xr-x 1 xedx users 6965 Oct 11 11:58 specialhello > [EMAIL PROTECTED] tmp $ ./ordinaryhello > -bash: ./ordinaryhello: Permission denied > [EMAIL PROTECTED] tmp $ ./specialhello > -bash: ./specialhello: Permission denied > [EMAIL PROTECTED] tmp $ /lib/ld-linux.so.2 ./ordinaryhello > ./ordinaryhello: error while loading shared libraries: ./ordinaryhello: > failed to map segment from shared object: Operation not permitted > [EMAIL PROTECTED] tmp $ /lib/ld-linux.so.2 ./specialhello > Greetings from ed > [EMAIL PROTECTED] tmp $ > > specialhello binary -> http://i.keepsilent.net/specialhello > ordinaryhello binary -> http://i.keepsilent.net/ordinaryhello > hello.c -> http://i.keepsilent.net/hello.c > > sha1sums: > cd12f42e32c9c08b3217aadff511b561b05dadb4 specialhello > 5182752ba19e1353b62c81d0db621ea0ca450ca8 ordinaryhello
Kind of expected from systems using discretionary access control - is this a legitimate bug or purely a limitation of discretionary access controls? For sure the detection of executable sections can be circumvented provided the construction of special binaries that would trick mmap() to believing that the file is not executable - but could this be sanely solved without resorting to extreme measures such as mandatory access controls? -- Paolo Alexis Falcone [EMAIL PROTECTED] -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
