Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.security > #282

Re: Critical Linux exploit in the wild

From Lusotec <nomail@nomail.not>
Newsgroups comp.os.linux.advocacy, comp.os.linux.security
Subject Re: Critical Linux exploit in the wild
Followup-To comp.os.linux.advocacy
Date 2013-05-20 15:18 +0100
Organization A noiseless patient Spider
Message-ID <kndb4a$o8i$1@dont-email.me> (permalink)
References <20130519095624.694@usenet.drumscum.be> <kna9vs$661$1@dont-email.me> <519a1719$0$15886$e4fe514c@news2.news.xs4all.nl>

Cross-posted to 2 groups.

Followups directed to: comp.os.linux.advocacy

Show all headers | View raw

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Casper H. S.  Dik wrote:
> Lusotec writes:
>>Another policy in my company is to mount all user writable partitions with
>>noexec, nosuid, nodev options so even if the exploit binary was placed in
>>the system by a user or a hacker (s)he would still have find a way to
>>execute the exploit.
> 
> Does it work against making the exploit called from the init routine
> in shared object which you could load as LD_PRELOAD in any executable
> you are allowed to run?
>
> (In Solaris, a shared object in a noexec mount cannot be loaded but
> I'm not sure if Linux extend the noexec to mmap()'ed objects.)
> 
> Of course, if the user has access to perl, python, then noexec doesn't
> help all that much.

As you can see below, preloading a library from a noexec mounted file system
does not work.

$ PS1=$
$ LANDUAGE=C
$ cd ~/tmp
$ gcc -fPIC -c -o test.o -x c - <<EOF
#include <stdio.h>
void _init(void) { printf( "TEST\n" ); }
EOF
$ gcc test.o -shared -nostdlib -lgcc -o libtest.so
$ mount | grep ~/tmp
none on /home/x/tmp type tmpfs (rw,noexec,nosuid,nodev,size=2g,uid=1000,gid=1000,mode=0700)
$ LD_PRELOAD=~/tmp/libtest.so uname
ERROR: ld.so: object '/home/x/tmp/libtest.so' from LD_PRELOAD cannot be preloaded: ignored.
Linux
$ su -c "mount -o remount,exec /home/x/tmp"
Password: 
$ mount | grep ~/tmp
none on /home/x/tmp type tmpfs (rw,size=2g,uid=1000,gid=1000,mode=0700)
$ LD_PRELOAD=~/tmp/libtest.so uname
TEST
Linux
$ 

Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iF4EAREIAAYFAlGaMLgACgkQGQjO2ccW76rIPgD9G0wAV49vDJfiYnBDI/V2ypLg
qzomqWcXOBRyQyR7shYA/jTVVRCl2OAaVUsKIWcJUjsALAeO487hYh5eLq2bm8r0
=5Vnz
-----END PGP SIGNATURE-----

Back to comp.os.linux.security | Previous | NextPrevious in thread | Find similar

Thread

Re: Critical Linux exploit in the wild Lusotec <nomail@nomail.not> - 2013-05-19 11:40 +0100
  Re: Critical Linux exploit in the wild Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-20 12:29 +0000
    Re: Critical Linux exploit in the wild Lusotec <nomail@nomail.not> - 2013-05-20 15:18 +0100

csiph-web