Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.os.linux.security > #280 > unrolled thread
| Started by | Lusotec <nomail@nomail.not> |
|---|---|
| First post | 2013-05-19 11:40 +0100 |
| Last post | 2013-05-20 15:18 +0100 |
| Articles | 3 — 2 participants |
Back to article view | Back to comp.os.linux.security
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: Critical Linux exploit in the wild Lusotec <nomail@nomail.not> - 2013-05-19 11:40 +0100
Re: Critical Linux exploit in the wild Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> - 2013-05-20 12:29 +0000
Re: Critical Linux exploit in the wild Lusotec <nomail@nomail.not> - 2013-05-20 15:18 +0100
| From | Lusotec <nomail@nomail.not> |
|---|---|
| Date | 2013-05-19 11:40 +0100 |
| Subject | Re: Critical Linux exploit in the wild |
| Message-ID | <kna9vs$661$1@dont-email.me> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 TomB wrote: > Just a little heads-up... Thanks for the warning. > http://ostatic.com/blog/critical-linux-exploit-in-the-wild > > "If you run servers that provide shell accounts, it’s time to take > some preventive measures. At least it is if you are running kernel > versions 2.6.37 to 3.8.8, or if you are running RHEL 6 or a clone like > CentOS, then the bug was backported to 2.6.32. I ran the exploit > myself in a test environment, and it works exactly as expected. Log in > as a normal user, compile 100 or so lines of C code, run the > executable and you’ve got a root shell. Scary stuff if you manage > public shell accounts." > > For the exploit to work, there are a number of conditions that must be > met: > > * Linux must be compiled with PERF_EVENTS This kernel build configuration can be checked with the command zgrep PERF_EVENTS /proc/config.gz > * Shell accounts must have access to a working compiler Most servers and desktops systems don't need a compiler installed. As such, and as a policy in my company, such system don't have a compiler or build tools installed. Still, a malicious user or hacker could compile the exploit binary in another system and copy it to the target system. Another policy in my company is to mount all user writable partitions with noexec, nosuid, nodev options so even if the exploit binary was placed in the system by a user or a hacker (s)he would still have find a way to execute the exploit. > Obviously I checked all my servers where users have shell access, and > I was pleased to learn that none of my systems were affected :-) > > The exploit can be downloaded here: > > http://packetstormsecurity.com/files/121616/semtex.c Some more information on the subject. Bug report: https://bugzilla.redhat.com/show_bug.cgi?id=962792 Fix: <http://git.kernel.org/cgit/linux/kernel/git/torvalds/ linux.git/commit/?id=8176cced706b5e5d15887584150764894e94e02f> > Check your systems! $ ./semtex semtex: semtex.c:51: sheep: Assertion `!close(fd)' failed. For some reason it did not work on this system and I think all requirements are present. Regards. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAlGYrCkACgkQGQjO2ccW76qCQgD/QYoct7HFe6OXM+bJ3CSE3/Yh TqcaKCYfv/QXkTbyAy8A/3nDfHoZ41nvx2DvE99ejWoAKsx2AW6Tnm67ITaSNSSZ =O4yG -----END PGP SIGNATURE-----
[toc] | [next] | [standalone]
| From | Casper H.S. Dik <Casper.Dik@OrSPaMcle.COM> |
|---|---|
| Date | 2013-05-20 12:29 +0000 |
| Message-ID | <519a1719$0$15886$e4fe514c@news2.news.xs4all.nl> |
| In reply to | #280 |
Lusotec <nomail@nomail.not> writes: >Another policy in my company is to mount all user writable partitions with >noexec, nosuid, nodev options so even if the exploit binary was placed in >the system by a user or a hacker (s)he would still have find a way to >execute the exploit. Does it work against making the exploit called from the init routine in shared object which you could load as LD_PRELOAD in any executable you are allowed to run? (In Solaris, a shared object in a noexec mount cannot be loaded but I'm not sure if Linux extend the noexec to mmap()'ed objects.) Of course, if the user has access to perl, python, then noexec doesn't help all that much. Casper
[toc] | [prev] | [next] | [standalone]
| From | Lusotec <nomail@nomail.not> |
|---|---|
| Date | 2013-05-20 15:18 +0100 |
| Message-ID | <kndb4a$o8i$1@dont-email.me> |
| In reply to | #281 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Casper H. S. Dik wrote:
> Lusotec writes:
>>Another policy in my company is to mount all user writable partitions with
>>noexec, nosuid, nodev options so even if the exploit binary was placed in
>>the system by a user or a hacker (s)he would still have find a way to
>>execute the exploit.
>
> Does it work against making the exploit called from the init routine
> in shared object which you could load as LD_PRELOAD in any executable
> you are allowed to run?
>
> (In Solaris, a shared object in a noexec mount cannot be loaded but
> I'm not sure if Linux extend the noexec to mmap()'ed objects.)
>
> Of course, if the user has access to perl, python, then noexec doesn't
> help all that much.
As you can see below, preloading a library from a noexec mounted file system
does not work.
$ PS1=$
$ LANDUAGE=C
$ cd ~/tmp
$ gcc -fPIC -c -o test.o -x c - <<EOF
#include <stdio.h>
void _init(void) { printf( "TEST\n" ); }
EOF
$ gcc test.o -shared -nostdlib -lgcc -o libtest.so
$ mount | grep ~/tmp
none on /home/x/tmp type tmpfs (rw,noexec,nosuid,nodev,size=2g,uid=1000,gid=1000,mode=0700)
$ LD_PRELOAD=~/tmp/libtest.so uname
ERROR: ld.so: object '/home/x/tmp/libtest.so' from LD_PRELOAD cannot be preloaded: ignored.
Linux
$ su -c "mount -o remount,exec /home/x/tmp"
Password:
$ mount | grep ~/tmp
none on /home/x/tmp type tmpfs (rw,size=2g,uid=1000,gid=1000,mode=0700)
$ LD_PRELOAD=~/tmp/libtest.so uname
TEST
Linux
$
Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAlGaMLgACgkQGQjO2ccW76rIPgD9G0wAV49vDJfiYnBDI/V2ypLg
qzomqWcXOBRyQyR7shYA/jTVVRCl2OAaVUsKIWcJUjsALAeO487hYh5eLq2bm8r0
=5Vnz
-----END PGP SIGNATURE-----
[toc] | [prev] | [standalone]
Back to top | Article view | comp.os.linux.security
csiph-web