| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Apr 12 23:22:17 2005
From: propolice at gmail.com (Eduardo Tongson)
Subject: linux bugs (survival stories)?
#include <stdio.h>
int main(int argc, char *argv[])
{
printf("Hello world!\n");
return 0;
}
> "like for example" is always a bad way to discuss things, because it's
> unclear what exactly you're talking about. ;)
ok ;)
> Now, going with specifics... The last really big "trivial" issue with
> bypassing noexec on mounted filesystems was closed by a patch from Ulrich
> Drepper in 2.6.0 - basically forcing you to mmap() the binary in and then
> mprotect() it to add the exec flag. And at *that* point, it gets ugly, because
> even if you stop them from calling mprotect() to get it executable, they can
> still use some variant of "unexec()" (see the Emacs/XEmacs source tree) to dump
> it out, twiddle the headers, and then exec() it off some other file system.
>
> So what specific issue with noexec are *you* thinking of, and what is your
> proposed fix for it?
'hello world' can bypass noexec
just remove the executable flags from the program headers
the compiled binary don't even need to have executable permissions
#include <stdio.h>
int main(int argc, char *argv[])
{
printf("Hello world!\n");
return 0;
}
% sudo mount -o remount,noexec /tmp
% wget http://pornadmin.net/~tongson/linux/helloworld.bin -O /tmp/helloworld.bin
% /lib/ld-linux.so.2 /tmp/helloworld.bin
Hello world!
--
Eduardo Tongson
<pornadmin.net/~tongson>
Powered by blists - more mailing lists