> On Mon, 11 Oct 2004 12:23:57 +0800 (PHT), ed <[EMAIL PROTECTED]> > wrote: >> >> > Paolo Alexis Falcone wrote: >> > >> >>Fortunately though you'd not encounter this if you're using a 2.6 >> >>kernel. This is what you'll see on a 2.6 kernel: >> >> >> > >> > that's a relief. we're concern about this exploit on the linux >> > workstations >> > we're going to deploy next month. buti na lang 2.6 din yun kernel ng >> mga >> > yun. >> > >> Had time fiddling this morning. Looking into the kernel sources you can >> see this snip in linux/mm/mmap.c >> if ((prot & PROT_EXEC) && >> (file->f_vfsmnt->mnt_flags & MNT_NOEXEC)) >> return -EPERM; >> but as pointed out with discussions(forgot where) early 2004 it can >> still >> be bypassed using custom binaries with the execute flags removed from >> the >> segments. >> >> The kernel checks for executable segments in the binary and then if it >> doesn't find them, PROT_EXEC doesn't get declared; voila the above snip >> is >> circumvented by these special binaries. Unfortunately circumvention >> works >> on 2.6 kernels. >> >> (on 2.6.9-rc3 on /tmp with noexec flags) >> >> [EMAIL PROTECTED] tmp $ ls -la *hello >> -rwxr-xr-x 1 xedx users 6965 Oct 11 12:00 ordinaryhello >> -rwxr-xr-x 1 xedx users 6965 Oct 11 11:58 specialhello >> [EMAIL PROTECTED] tmp $ ./ordinaryhello >> -bash: ./ordinaryhello: Permission denied >> [EMAIL PROTECTED] tmp $ ./specialhello >> -bash: ./specialhello: Permission denied >> [EMAIL PROTECTED] tmp $ /lib/ld-linux.so.2 ./ordinaryhello >> ./ordinaryhello: error while loading shared libraries: ./ordinaryhello: >> failed to map segment from shared object: Operation not permitted >> [EMAIL PROTECTED] tmp $ /lib/ld-linux.so.2 ./specialhello >> Greetings from ed >> [EMAIL PROTECTED] tmp $ >> >> specialhello binary -> http://i.keepsilent.net/specialhello >> ordinaryhello binary -> http://i.keepsilent.net/ordinaryhello >> hello.c -> http://i.keepsilent.net/hello.c >> >> sha1sums: >> cd12f42e32c9c08b3217aadff511b561b05dadb4 specialhello >> 5182752ba19e1353b62c81d0db621ea0ca450ca8 ordinaryhello > > Kind of expected from systems using discretionary access control - is > this a legitimate bug or purely a limitation of discretionary access > controls? For sure the detection of executable sections can be > circumvented provided the construction of special binaries that would > trick mmap() to believing that the file is not executable - but could > this be sanely solved without resorting to extreme measures such as > mandatory access controls? > -- > Paolo Alexis Falcone > [EMAIL PROTECTED] >
Greetings, : is this a legitimate bug or purely a limitation of discretionary access controls? : Mainly both, as an inherent flaw in DAC[1] and bugs with mmap/mrotect sanitation as well as glibc/ld.so executable bit enforcement. Discussed before at fd[2] but unfortunately was concluded prematurely with the agreed upon 2.6 fix. Ulrich Drepper probably missed the case in point(ld.so broken too?) with his patch[3] anyway thanks to him for NPTL(offtopic) :D There is a very high chance that some live boxes where rooted using this vulnerability plus the mremap[4][5] and the do_brk[6] bugs which came out around the same time. Fixing glibc's ld.so to properly check executable segments or better Linux-glibc devel coordination (well everyone knows it's already at excellent levels but there are some cases to watch out for) would be the next easy solutions without resorting to "extreme" measures like RSBAC[7], LIDS-TPE[8] or using SELINUX[9]. [1] http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-003.html [2] http://seclists.org/lists/fulldisclosure/2004/Mar/0600.html [3] http://linux.bkbits.net:8080/linux-2.4/[EMAIL PROTECTED] [4] http://isec.pl/vulnerabilities/isec-0013-mremap.txt [5] http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt [6] http://isec.pl/vulnerabilities/isec-0012-do_brk.txt [7] http://www.rsbac.org/documentation/linux-kongress/index.html [8] http://www.lids.org/document/LIDS-TPE-feature.txt [9] http://www.crypt.gen.nz/selinux/faq.html -- ed [!] http://i.keepsilent.net(unupdated) [!] propolice.at.gmail.dot.com Senior Researcher of the Kitchen Refrigerator -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
