Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAG48ez3UTpmkZ=VnSeD=LfistvsSQ6dFe_R4opbTcHhfgzo-gQ@mail.gmail.com>
Date: Wed, 14 Jun 2017 16:33:39 +0200
From: Jann Horn <jannh@...gle.com>
To: Solar Designer <solar@...nwall.com>
Cc: Matt Brown <matt@...tt.com>, Kernel Hardening <kernel-hardening@...ts.openwall.com>
Subject: Re: Re: [PATCH v2 1/1] Add Trusted Path Execution
 as a stackable LSM

On Wed, Jun 14, 2017 at 4:28 PM, Solar Designer <solar@...nwall.com> wrote:
> On Wed, Jun 14, 2017 at 03:15:22PM +0200, Jann Horn wrote:
>> Some random related issues:
>>
>> Scripts with shebang lines like "#!/usr/bin/env python" probably wouldn't
>> work anymore, at least not without special-case logic, because in this case,
>> env has to invoke python.
>
> Why would this break?  If both env and python are in trusted paths, it
> should work with TPE just fine.  (But then TPE is rather ineffective.)

I think somewhere in this thread, or a related one, it was suggested to have
some mechanism to only prevent execution of e.g. python as an interpreter,
not direct execution.

>> ssh and ssh-agent can load libraries from paths passed on the command
>> line, by design.
>> The alsa client library loads libraries from paths specified in user-owned
>> config files.
>>
>> If you can use dd (or anything else that permits writing to a specific
>> position in a
>> file), you should be able to directly overwrite the memory of a
>> process using something like
>> "dd of=/proc/self/mem bs=1 seek=$STARTADDRESS < new_data".
>> I think one way to do this remotely is to use SFTP.
>
> IIRC, /proc/self/mem requires mmap() and won't work with dd's write().

That's definitely not true. You can't mmap() /proc/*/mem on Linux, and
reading/writing to/from it works. With older kernel versions, only the
ptrace parent was permitted to use /proc/*/mem for non-self processes,
but in newer kernel versions, that restriction is gone.
For an example, see: http://seclists.org/fulldisclosure/2014/Oct/35
(I think the mitigation added in OpenSSH 6.7 doesn't really work
properly anymore on newer kernels.)

>> Bash has a built-in named "enable" that can load shared libraries directly
>> into the shell.
>>
>> These are just some random examples I came up with relatively quickly,
>> there are probably more.
>
> Thanks.  The ssh, alsa, and bash "enable" examples are probably valid.
>
> Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.