Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20181115195319.GB5044@pi3.com.pl>
Date: Thu, 15 Nov 2018 20:53:19 +0100
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com,
	Ilya Matveychikov <matvejchikov@...il.com>
Subject: Re: LKRG 0.5

Hi Ilya,

Can you re-verify if you don't see NULL deref problems anymore?

Thanks,
Adam

On Tue, Nov 13, 2018 at 05:33:09AM 
+0100, Adam Zabrocki wrote:
> Hi,
> 
> I was able to repro this NULL deref (thanks for this test!) and I've fixed 
> it via this commit:
> 
> https://bitbucket.org/Adam_pi3/lkrg-main/commits/7c9b79bea77df2dc4944b0fe29f4dc8c3d26b302
> 
> In short it happens because of the malicious activity of khook_demo module. 
> This module hooks "inode_permission" function (kernel core .text section) and 
> redirects to the internal function "khook_inode_permission" inside of the
> khook_demo module.
> Hook is being done in a very smart way by modifying long NOP (injected by 
> *_JUMP_LABEL) to JMP instruction (emulating *_JUMP_LABEL functionality). LKRG 
> correctly detects not-legit modification but new code has a bug that if 
> modification happens to the core kernel .text from the 3rd party module, 
> and falls perfectly into *_JUMP_LABEL scenario, it detect this bad 
> behaviour but then might generate NULL deref.
> 
> Thanks for testing it. Now LKRG detects not-legit hook and do not crash the 
> kernel (unless you enable lkrg.ci_panic=1 via sysctl).
>  
> *_JUMP_LABEL support in LKRG is already complicated and will be rewritten in 
> the future versions - but it will be bigger change which requires some time to 
> research.
> 
> Thanks,
> Adam
> 
> On Mon, Nov 12, 2018 at 04:40:31PM +0400, Ilya Matveychikov wrote:
> > Hey,
> > 
> > While recoding a video of LKRG 5.0 bypass I faced a BUG. So, no video at this time
> > but maybe next time when this bug will be fixed :-)
> > 
> > [110338.513153] BUG: unable to handle kernel NULL pointer dereference at           (null)
> > [110338.963680] IP: [<ffffffffc0638c89>] p_cmp_bytes+0x239/0x940 [p_lkrg]
> > [110339.482601] PGD 0
> > [110339.546025] Oops: 0000 [#1] SMP
> > [110339.606575] Modules linked in: khook_demo(OE) p_lkrg(OE) ufs msdos xfs vboxsf(OE) isofs ppdev binfmt_misc input_leds serio_raw parport_pc video parport vboxguest(OE) ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul vboxvideo(OE) ghash_clmulni_intel drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops aesni_intel ttm mptspi aes_x86_64 lrw glue_helper ablk_helper cryptd scsi_transport_spi mptscsih drm psmouse e1000 mptbase
> > [110343.097907] CPU: 1 PID: 3858 Comm: kworker/u8:2 Tainted: G           OE   4.8.0-53-generic #56~16.04.1-Ubuntu
> > [110343.559133] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> > [110343.947920] Workqueue: events_unbound p_check_integrity [p_lkrg]
> > [110343.997952] task: ffff9d7a7aa8d880 task.stack: ffff9d7a69cd4000
> > [110344.778608] RIP: 0010:[<ffffffffc0638c89>]  [<ffffffffc0638c89>] p_cmp_bytes+0x239/0x940 [p_lkrg]
> > [110345.086806] RSP: 0018:ffff9d7a69cd7a10  EFLAGS: 00010086
> > [110345.531187] RAX: 0000000000000000 RBX: ffffffffc00992e0 RCX: 0000000000000022
> > [110345.947264] RDX: 0000000000000000 RSI: 0000000000004000 RDI: ffffffffc00992e0
> > [110345.982935] RBP: ffff9d7a69cd7d70 R08: 0000000000000000 R09: 0000000000000190
> > [110346.415325] R10: ffffc06fc1735898 R11: ffffffffc009b100 R12: ffffc06fc0c01000
> > [110346.960013] R13: 0000000000293898 R14: ffff9d7a69cd7c51 R15: ffffc06fc0e94898
> > [110347.167329] FS:  0000000000000000(0000) GS:ffff9d7a7fc80000(0000) knlGS:0000000000000000
> > [110347.558976] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [110347.587279] CR2: 0000000000000000 CR3: 000000003a9ad000 CR4: 00000000000406e0
> > [110347.842746] Stack:
> > [110347.962880]  ffff9d7a7bb95980 ffff9d7a69cd7a50 0000000000000000 ffffffff992002b8
> > [110348.742840]  ffffffff99493b50 0000000000293899 ffffc06fc0e94899 0000000000000022
> > [110349.267536]  000000000089f697 ffffc06fc1735898 000000000000000f ffffc06fc14a2000
> > [110349.564549] Call Trace:
> > [110349.571774]  [<ffffffff992002b8>] ? 0xffffffff992002b8
> > [110349.931856]  [<ffffffff99493b50>] ? writenote+0xc0/0xc0
> > [110349.967838]  [<ffffffffc06395a2>] p_check_integrity+0x212/0x1980 [p_lkrg]
> > [110350.058749]  [<ffffffff992c1451>] ? pick_next_task_fair+0x111/0x4f0
> > [110351.175217]  [<ffffffff9929d89b>] process_one_work+0x16b/0x4a0
> > [110351.551869]  [<ffffffff9929dc1b>] worker_thread+0x4b/0x500
> > [110351.567748]  [<ffffffff9929dbd0>] ? process_one_work+0x4a0/0x4a0
> > [110351.595704]  [<ffffffff9929dbd0>] ? process_one_work+0x4a0/0x4a0
> > [110351.623514]  [<ffffffff992a3fb8>] kthread+0xd8/0xf0
> > [110351.659862]  [<ffffffff99a9aa9f>] ret_from_fork+0x1f/0x40
> > [110351.673789]  [<ffffffff992a3ee0>] ? kthread_create_on_node+0x1e0/0x1e0
> > [110351.683488] Code: ff 0f 87 d3 06 00 00 48 8b 8d d8 fc ff ff 48 39 8d f0 fc ff ff 0f 84 1c 05 00 00 4d 85 db 0f 84 b4 04 00 00 48 8b 85 b0 fc ff ff <4c> 3b 18 0f 85 ad 03 00 00 0f b6 85 03 fd ff ff 48 8d 95 03 fd
> > [110351.727548] RIP  [<ffffffffc0638c89>] p_cmp_bytes+0x239/0x940 [p_lkrg]
> > [110351.729925]  RSP <ffff9d7a69cd7a10>
> > [110351.731103] CR2: 0000000000000000
> > 
> > 
> > > On Nov 12, 2018, at 4:27 PM, Solar Designer <solar@...nwall.com> wrote:
> > > 
> > > Hi,
> > > 
> > > We'd like to announce Linux Kernel Runtime Guard (LKRG) version 0.5:
> > > 
> > > https://www.openwall.com/lkrg/
> > > 
> > > The following changes have been made between LKRG 0.4 and 0.5:
> > > 
> > > *) [CI] Add *_JUMP_LABEL support for kernel modules (a major change)
> > > *) [CI] Add support for "cold" function versions generated by new GCC -
> > > necessary to correctly handle *_JUMP_LABEL
> > > *) [CI] Change output message format when *_JUMP_LABEL was detected for kernel
> > > module's .text section
> > > *) [CI] Add new sysctl interface - optional panic() on CI verification failure
> > > *) [ED] Hook generic_permission() instead of may_open()
> > > *) [ED] Hook and correctly handle override_creds() / revert_creds()
> > > *) Add Mikhail Klementev's patches for Makefile, .gitignore and missing include
> > > 
> > > Legend:
> > > [CI] - Code Integrity
> > > [ED] - Exploit Detection
> > > 
> > > Like before, this release is mostly due to work by Adam 'pi3' Zabrocki.
> > > 
> > > Alexander
> > 
> 
> -- 
> pi3 (pi3ki31ny) - pi3 (at) itsec pl
> http://pi3.com.pl

-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.