lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: juraj at bednar.sk (Juraj Bednar) Subject: ptrace exploit workaround Hi, while waiting for kernel compilations from Debian (and while waiting for my kernel compilations to finish), I coded a single module, which acts as a workaround for one particular exploit I found in one user's homedirectory. Disclaimer: 1.) I don't guarantee, that it will protect you from other exploits (it won't). 2.) I guarantee, it won't break anything (actually it will break some occassional ptrace situations, but for simple gdb and stuff, this is ok). 3.) I don't guarantee it will work. It may freeze your machine. YMMV. 4.) I'm not a linux kernel module coder. If you'll come with something better, drop me a note. 5.) Against this exploit, simple chmod 700 /proc would suffice (since it wants to open /proc/self/exe). This is somehow cleaner. 6.) It should unload correctly, if it won't freeze your system (see point 3:). Anyways, as a simple workaround, it works for me, so I thought I'll post it, it may help you overcome this ugly time. Compilation instruction in source comment. J. -- Juraj Bednar http://www.jurajbednar.com/ http://juraj.bednar.sk/ -------------- next part -------------- /* while waiting for kernel compilations from Debian (and while waiting for my kernel compilations to finish), I coded a single module, which acts as a workaround for one particular exploit I found in one user's homedirectory. Disclaimer: 1.) I don't guarantee, that it will protect you from other exploits (it won't). 2.) I guarantee, it won't break anything (actually it will break some occassional ptrace situations, but for simple gdb and stuff, this is ok). 3.) I don't guarantee it will work. It may freeze your machine. YMMV. 4.) I'm not a linux kernel module coder. If you'll come with something better, drop me a note. 5.) Against this exploit, simple chmod 700 /proc would suffice (since it wants to open /proc/self/exe). This is somehow cleaner. 6.) It should unload correctly, if it won't freeze your system (see point 3:). Anyways, as a simple workaround, it works. Compile with gcc -o ptrace_workaround.o -c ptrace_workaround.c -I/usr/src/linux/include (/usr/src/linux should compile preconfigured kernel headers, or include from kernel-headers package). */ #define MODULE #define __KERNEL__ #include <linux/module.h> #include <linux/kernel.h> #include <linux/modversions.h> #include <linux/smp_lock.h> #include <linux/types.h> #include <linux/dirent.h> #include <linux/string.h> #include <linux/mm.h> #include <linux/sched.h> #include <sys/syscall.h> /* The list of system calls */ MODULE_LICENSE("GPL"); extern void *sys_call_table[]; /*sys_call_table is exported, so we can access it */ int (*orig_sys_ptrace)(long request, long pid, long addr, long data); #define is_dumpable(tsk) ((tsk)->task_dumpable && (tsk)->mm->dumpable) int hacked_sys_ptrace (long request, long pid, long addr, long data) { struct task_struct *child; lock_kernel(); read_lock(&tasklist_lock); child = find_task_by_pid(pid); if (child) get_task_struct(child); read_unlock(&tasklist_lock); if (!child) { unlock_kernel(); return -ESRCH; } if (request!=PTRACE_ATTACH) { mb(); if ((child->euid!=child->uid) || (child->egid==child->gid)) { unlock_kernel(); return -EPERM; } } unlock_kernel(); orig_sys_ptrace(request, pid, addr, data); } int init_module (void) /*module setup */ { orig_sys_ptrace = sys_call_table[SYS_ptrace]; sys_call_table[SYS_ptrace] = hacked_sys_ptrace; return 0; } void cleanup_module (void) /*module shutdown */ { sys_call_table[SYS_ptrace] = orig_sys_ptrace; /*set ptrace syscall to the origal one */ }
Powered by blists - more mailing lists