1 |
1.) |
2 |
If you happen to use grsecurity, you have two kernel options for |
3 |
controlling ptrace: |
4 |
GRKERNSEC_AUDIT_PTRACE "Ptrace logging" |
5 |
If you say Y here, all attempts to attach to a process via ptrace |
6 |
will be logged. If the sysctl option is enabled, a sysctl option |
7 |
with name "audit_ptrace" is created. |
8 |
|
9 |
GRKERNSEC_HARDEN_PTRACE "Deter ptrace-based process snooping" |
10 |
If you say Y here, TTY sniffers and other malicious monitoring |
11 |
programs implemented through ptrace will be defeated. If you |
12 |
have been using the RBAC system, this option has already been |
13 |
enabled for several years for all users, with the ability to make |
14 |
fine-grained exceptions. |
15 |
|
16 |
This option only affects the ability of non-root users to ptrace |
17 |
processes that are not a descendent of the ptracing process. |
18 |
This means that strace ./binary and gdb ./binary will still work, |
19 |
but attaching to arbitrary processes will not. If the sysctl |
20 |
option is enabled, a sysctl option with name "harden_ptrace" is |
21 |
created. |
22 |
|
23 |
2.) |
24 |
Moreover, in the policy file with enabled RBAC, you can select which |
25 |
process can ptrace: |
26 |
-CAP_ALL |
27 |
+CAP_SYS_PTRACE |
28 |
|
29 |
3.) |
30 |
And even some more options: |
31 |
# Role flags: |
32 |
# A -> This role is an administrative role, thus it has special privilege |
33 |
normal |
34 |
# roles do not have. In particular, this role bypasses the |
35 |
# additional ptrace restrictions |
36 |
|
37 |
object: |
38 |
# p -> reject all ptraces to this object |
39 |
|
40 |
process: |
41 |
# t -> allow this process to ptrace any process (use with caution) |
42 |
# r -> relax ptrace restrictions (allows process to ptrace processes |
43 |
|
44 |
So it depends on what kind of hardening method you are using. |
45 |
|
46 |
Rearding the actual exploit: |
47 |
1.) |
48 |
GRKERNSEC_PROC_MEMMAP "Remove addresses from /proc/<pid>/[smaps|maps|stat]" |
49 |
If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat |
50 |
files will |
51 |
give no information about the addresses of its mappings if |
52 |
PaX features that rely on random addresses are enabled on the task. |
53 |
If you use PaX it is greatly recommended that you say Y here as it |
54 |
closes up a hole that makes the full ASLR useless for suid |
55 |
binaries. |
56 |
|
57 |
2.) |
58 |
readelf -h /bin/su |
59 |
ELF Header: |
60 |
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |
61 |
Class: ELF32 |
62 |
Data: 2's complement, little endian |
63 |
Version: 1 (current) |
64 |
OS/ABI: UNIX - System V |
65 |
ABI Version: 0 |
66 |
Type: DYN (Shared object file) |
67 |
Machine: Intel 80386 |
68 |
Version: 0x1 |
69 |
Entry point address: 0x2010 |
70 |
Start of program headers: 52 (bytes into file) |
71 |
Start of section headers: 33572 (bytes into file) |
72 |
Flags: 0x0 |
73 |
Size of this header: 52 (bytes) |
74 |
Size of program headers: 32 (bytes) |
75 |
Number of program headers: 9 |
76 |
Size of section headers: 40 (bytes) |
77 |
Number of section headers: 25 |
78 |
Section header string table index: 24 |
79 |
|
80 |
Dw. |
81 |
-- |
82 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
83 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
84 |
|
85 |
2012.Január 24.(K) 12:52 időpontban Kevin Chadwick ezt írta: |
86 |
> On Tue, 24 Jan 2012 09:33:36 +0100 |
87 |
> "Tóth Attila" wrote: |
88 |
> |
89 |
>> My only concern against bruteforce protection is the possiblity of a |
90 |
>> DoS. |
91 |
>> But it's always better to get DoSed, than to get bruteforced... |
92 |
> |
93 |
> Is ptrace disabled on hardened gentoo too? |
94 |
> |
95 |
> -- |
96 |
> Kc |
97 |
> |
98 |
> |