Re: Systems compromised with ShellBOT perl script - part 2

[Jeffrey Denton <dentonj () gmail com>]

On Wed, 20 Oct 2004 00:04:36 -0500, security () kemhosting com
<security () kemhosting com> wrote:

> Today, hackers used the ShellBOT perl script to bring down Apache and start up
> their IRC listener.  They (somehow) copied it into /tmp and executed it.  This
> confuses me because I have my /tmp directory mounted rw,noexec,nosuid. Does
> Perl somehow bypass this?

If the command they are running is something similar to:

# perl /tmp/script.pl

Then script.pl isn't being directly executed, perl is.  In this
example, script.pl itself doesn't even need to executable.  The same
thing can be done with shell scripts.

# sh /tmp/script.sh

The noexec flag can be bypassed by binaries that are dynamically
linked by using /lib/ld-linux.so.  You execute the linker and give the
command you want to run as the option.

# cp /usr/bin/ls /tmp
# /tmp/ls
/tmp/ls: Permission denied
# /lib/ld-linux.so.2 /tmp/ls

The only way that I'm aware of to stop the above from happening is by
using libsafe.  You will then end up with the following error:

# /lib/ld-linux.so.2 /tmp/ls
/tmp/ls: error while loading shared libraries: /tmp/ls: failed to map
segment from shared object: Operation not permitted

One interesting observation is that the output of ldd changes when run
on commands located on noexec partitions and libsafe is being used.

# ldd /tmp/ls
       not a dynamic executable
# ldd /usr/bin/ls
       /lib/libsafe.so.2 => /lib/libsafe.so.2 (0x40017000)
       librt.so.1 => /lib/librt.so.1 (0x4002e000)
       libc.so.6 => /lib/libc.so.6 (0x40040000)
       . . . 
       . . .

One warning, libsafe is not always the answer to securing a system
since it has a habit of interfering with programs and servers.  As
with every security measure, test, test, test.....