| 1 |
1.) |
| 2 |
If you happen to use grsecurity, you have two kernel options for |
| 3 |
controlling ptrace: |
| 4 |
GRKERNSEC_AUDIT_PTRACE "Ptrace logging" |
| 5 |
If you say Y here, all attempts to attach to a process via ptrace |
| 6 |
will be logged. If the sysctl option is enabled, a sysctl option |
| 7 |
with name "audit_ptrace" is created. |
| 8 |
|
| 9 |
GRKERNSEC_HARDEN_PTRACE "Deter ptrace-based process snooping" |
| 10 |
If you say Y here, TTY sniffers and other malicious monitoring |
| 11 |
programs implemented through ptrace will be defeated. If you |
| 12 |
have been using the RBAC system, this option has already been |
| 13 |
enabled for several years for all users, with the ability to make |
| 14 |
fine-grained exceptions. |
| 15 |
|
| 16 |
This option only affects the ability of non-root users to ptrace |
| 17 |
processes that are not a descendent of the ptracing process. |
| 18 |
This means that strace ./binary and gdb ./binary will still work, |
| 19 |
but attaching to arbitrary processes will not. If the sysctl |
| 20 |
option is enabled, a sysctl option with name "harden_ptrace" is |
| 21 |
created. |
| 22 |
|
| 23 |
2.) |
| 24 |
Moreover, in the policy file with enabled RBAC, you can select which |
| 25 |
process can ptrace: |
| 26 |
-CAP_ALL |
| 27 |
+CAP_SYS_PTRACE |
| 28 |
|
| 29 |
3.) |
| 30 |
And even some more options: |
| 31 |
# Role flags: |
| 32 |
# A -> This role is an administrative role, thus it has special privilege |
| 33 |
normal |
| 34 |
# roles do not have. In particular, this role bypasses the |
| 35 |
# additional ptrace restrictions |
| 36 |
|
| 37 |
object: |
| 38 |
# p -> reject all ptraces to this object |
| 39 |
|
| 40 |
process: |
| 41 |
# t -> allow this process to ptrace any process (use with caution) |
| 42 |
# r -> relax ptrace restrictions (allows process to ptrace processes |
| 43 |
|
| 44 |
So it depends on what kind of hardening method you are using. |
| 45 |
|
| 46 |
Rearding the actual exploit: |
| 47 |
1.) |
| 48 |
GRKERNSEC_PROC_MEMMAP "Remove addresses from /proc/<pid>/[smaps|maps|stat]" |
| 49 |
If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat |
| 50 |
files will |
| 51 |
give no information about the addresses of its mappings if |
| 52 |
PaX features that rely on random addresses are enabled on the task. |
| 53 |
If you use PaX it is greatly recommended that you say Y here as it |
| 54 |
closes up a hole that makes the full ASLR useless for suid |
| 55 |
binaries. |
| 56 |
|
| 57 |
2.) |
| 58 |
readelf -h /bin/su |
| 59 |
ELF Header: |
| 60 |
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |
| 61 |
Class: ELF32 |
| 62 |
Data: 2's complement, little endian |
| 63 |
Version: 1 (current) |
| 64 |
OS/ABI: UNIX - System V |
| 65 |
ABI Version: 0 |
| 66 |
Type: DYN (Shared object file) |
| 67 |
Machine: Intel 80386 |
| 68 |
Version: 0x1 |
| 69 |
Entry point address: 0x2010 |
| 70 |
Start of program headers: 52 (bytes into file) |
| 71 |
Start of section headers: 33572 (bytes into file) |
| 72 |
Flags: 0x0 |
| 73 |
Size of this header: 52 (bytes) |
| 74 |
Size of program headers: 32 (bytes) |
| 75 |
Number of program headers: 9 |
| 76 |
Size of section headers: 40 (bytes) |
| 77 |
Number of section headers: 25 |
| 78 |
Section header string table index: 24 |
| 79 |
|
| 80 |
Dw. |
| 81 |
-- |
| 82 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
| 83 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
| 84 |
|
| 85 |
2012.Január 24.(K) 12:52 időpontban Kevin Chadwick ezt írta: |
| 86 |
> On Tue, 24 Jan 2012 09:33:36 +0100 |
| 87 |
> "Tóth Attila" wrote: |
| 88 |
> |
| 89 |
>> My only concern against bruteforce protection is the possiblity of a |
| 90 |
>> DoS. |
| 91 |
>> But it's always better to get DoSed, than to get bruteforced... |
| 92 |
> |
| 93 |
> Is ptrace disabled on hardened gentoo too? |
| 94 |
> |
| 95 |
> -- |
| 96 |
> Kc |
| 97 |
> |
| 98 |
> |
Archives