Full Disclosure mailing list archives
Re: linux bugs (survival stories)?
From: pageexec () freemail hu
Date: Wed, 13 Apr 2005 01:41:03 +0100
Valdis Kletnieks wrote:
Now, going with specifics... The last really big "trivial" issue with bypassing noexec on mounted filesystems was closed by a patch from Ulrich Drepper in 2.6.0 - basically forcing you to mmap() the binary in and then mprotect() it to add the exec flag. And at *that* point, it gets ugly, because even if you stop them from calling mprotect() to get it executable, they can still use some variant of "unexec()" (see the Emacs/XEmacs source tree) to dump it out, twiddle the headers, and then exec() it off some other file system.
the problem with the above is that it assumes that you already have a file system where you can write to/execute from, in which case you don't need to bother with the original noexec mounted filesystem at all, you just put your exploit into this fs and be done with it. the real problem with the current linux noexec mount handling is that by not restricting mprotect one can just construct an ELF file that when mmap'ed will overlap the stack and call mprotect and execute your code, effectively circumventing this measure (there was a longish thread on this topic last May on dailydave), this gives you a false sense of security only, not security. without such a restriction a sysadmin cannot enforce a W^X policy at the file system level. NetBSD (maybe the others as well, i didn't check) and PaX both forbid mprotect(PROT_EXEC) on noexec mounts for this reason. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- linux bugs (survival stories)? Bipin Gautam (Apr 11)
- Re: linux bugs (survival stories)? Valdis . Kletnieks (Apr 12)
- Re: linux bugs (survival stories)? Georgi Guninski (Apr 12)
- Re: linux bugs (survival stories)? dk (Apr 12)
- Re: linux bugs (survival stories)? Eduardo Tongson (Apr 12)
- Re: linux bugs (survival stories)? Valdis . Kletnieks (Apr 12)
- Re: linux bugs (survival stories)? Eduardo Tongson (Apr 12)
- Re: linux bugs (survival stories)? Joachim Schipper (Apr 12)
- Re: linux bugs (survival stories)? Valdis . Kletnieks (Apr 12)
- Re: linux bugs (survival stories)? Eduardo Tongson (Apr 13)
- Re: linux bugs (survival stories)? Valdis . Kletnieks (Apr 12)
- <Possible follow-ups>
- Re: linux bugs (survival stories)? pageexec (Apr 12)
- Re: linux bugs (survival stories)? Valdis . Kletnieks (Apr 12)
- Re: linux bugs (survival stories)? pageexec (Apr 13)
- Re: linux bugs (survival stories)? Valdis . Kletnieks (Apr 13)
- Re: linux bugs (survival stories)? pageexec (Apr 13)
- Re: linux bugs (survival stories)? Valdis . Kletnieks (Apr 13)
- Re: linux bugs (survival stories)? pageexec (Apr 13)
- Re: linux bugs (survival stories)? Valdis . Kletnieks (Apr 12)