Security Incidents mailing list archives
RE: Suspicious files in /tmp
From: "Thyago Braga da Silva" <tbraga () gasecurity com br>
Date: Wed, 20 Jun 2007 20:06:05 -0300
A binary which you have NOT permission to execute but only to read, it can be executed. Follows an example note: [dx@foobar ~]$ ./prog checking... [dx@foobar ~]$ su Password: [root@foobar dx]# chmod 754 prog [root@foobar dx]# chown root:root prog [root@foobar dx]# exit [dx@foobar ~]$ ./prog -bash: ./prog: Permission denied [dx@foobar ~]$ ls -l prog -rwxr-xr-- 1 root root 4690 May 24 18:47 prog [dx@foobar ~]$ /lib/ld-linux.so.2 ./prog checking... [dx@foobar ~]$ Taking a look at strace's output we can note this: [dx@foobar ~]$ strace -fiv /lib/ld-linux.so.2 ./prog [ffffe405] execve("/lib/ld-linux.so.2", ["/lib/ld-linux.so.2", "./prog"], ["HOSTNAME=foobar", "TERM=xterm", "SHELL=/bin/bash", "HISTSIZE=1000", "SSH_CLIENT=localhost 1573 6"..., "SSH_TTY=/dev/pts/4", "USER=dx", "LS_COLORS=no=00:fi=00:di=00;34:l"..., "MAIL=/var/spool/mail/dx", "PATH=/usr/kerberos/bin:/usr/loca"..., "INPUTRC=/etc/inputrc", "PWD=/home/dx", "SHLVL=1", "HOME=/home/dx", "LOGNAME=dx", "SSH_CONNECTION=201.51.165.190 15"..., "LESSOPEN=|/usr/bin/lesspipe.sh %"..., "G_BROKEN_FILENAMES=1", "_=/usr/bin/strace"]) = 0 [56568deb] brk(0) = 0x56570000 [56569814] open("./prog", O_RDONLY) = 3 [56569894] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\340\202"..., 512) = 512 [565697d6] fstat64(3, {st_dev=makedev(9, 1), st_ino=16453004, st_mode=S_IFREG|0754, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=16, st_size=4690, st_atime=2007/05/24-18:54:19, st_mtime=2007/05/24-18:47:51, st_ctime=2007/05/24-18:48:42}) = 0 [565699e6] getcwd("/home/dx", 128) = 9 [56569a43] mmap2(0x8048000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x8048000 [56569a43] mmap2(0x8049000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x8049000 [5656984d] close(3) = 0 [56569a43] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf7f29000 The programs ld.so and ld-linux.so* find and load the shared libraries needed by a program, prepare the program to run, and then run it. If an application opens a file for reading and 'maps' it content into it's own pages (copy+resetting permissions), then it's would be legal (kernel-wise) to execute the page. The kernel won't allow to execute the binary straight off, because it doesn't have an 'x' on its pages. It would be possible to run it, even though it doesn't explicity have eXecutable flag. -----Mensagem original----- De: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu] Enviada em: Wednesday, June 20, 2007 1:47 PM Para: Robin Sheat Cc: incidents () securityfocus com Assunto: Re: Suspicious files in /tmp On Tue, 19 Jun 2007 13:33:21 +1200, Robin Sheat said:
I think it's also the case (I don't have a noexec partition handy to test on) that you can get around this by doing something like: /lib/ld-linux.so.2 /tmp/mybadbinary e.g.: /lib/ld-linux.so.2 /bin/ls
This particular trick was closed in the 2.6.0 kernel. I am *not* sure whether the fix was backported to the 2.4 kernel or not. ------------------------------------------------------------------------- This list sponsored by: SPI Dynamics ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E --------------------------------------------------------------------------
Current thread:
- Suspicious files in /tmp kladizkov.thehome (Jun 18)
- Re: Suspicious files in /tmp Matt D. Harris (Jun 18)
- Re: Suspicious files in /tmp Michal Zalewski (Jun 19)
- Re: Suspicious files in /tmp Matt D. Harris (Jun 19)
- Re: Suspicious files in /tmp Michal Zalewski (Jun 19)
- Message not available
- Re: Suspicious files in /tmp Michal Zalewski (Jun 20)
- Re: Suspicious files in /tmp Michal Zalewski (Jun 19)
- Re: Suspicious files in /tmp Matt D. Harris (Jun 18)
- Re: Suspicious files in /tmp Rainer Duffner (Jun 19)
- Re: Suspicious files in /tmp Rainer Duffner (Jun 19)
- Re: Suspicious files in /tmp Robin Sheat (Jun 19)
- Re: Suspicious files in /tmp Valdis . Kletnieks (Jun 20)
- RE: Suspicious files in /tmp Thyago Braga da Silva (Jun 21)
- RE: Suspicious files in /tmp kaneda (Jun 21)
- Re: Suspicious files in /tmp Eduardo Tongson (Jun 22)
- Re: Suspicious files in /tmp Cy Schubert (Jun 21)
- <Possible follow-ups>
- Re: Suspicious files in /tmp Juha-Matti Laurio (Jun 19)