Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20190721194838.GA1442@pi3.com.pl>
Date: Sun, 21 Jul 2019 21:48:38 +0200
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com
Subject: Re: LKRG 0.7 CI & ED bypass

Hi,

On Sun, Jul 21, 2019 at 11:19:56PM +0400, Ilya Matveychikov wrote:
> Hello,
> 
> Nice to see LKRG version 0.7 here, I wonder it is still alive.
> 
> This time I???d like to use a CHAIN!!11 of 2 by-design bugs in LKRG to
> show how to bypass both CI and ED:
> 
>  - (1) bypass of CI by locking a ???text_mutex??? which makes CI stuck on
>        acquiring it, so no CI will be performed
>  - (2) bypass of ED by patching kprobes dispatcher function (get_kprobes),
>        so LKRG-hooks will not be triggered by kprobes
> 
> Unfortunately, don???t have much time to do proper cleanup for this but as
> usual I???ve published some code on github so anyone can play with:
> 
>   https://github.com/milabs/kernel-exploits/commits/lkrg0.7-bypass
> 
> Also, I don???t know how good LKRG SMEP protection is as I don???t have a proper
> device to make tests but as far as I can see SMEP protection (as well as WP once)
> is also kprobes-based, so I???m guessing this approach will defeat it as well.
> 
> Did I miss something?
> 

I've verified your code on a 2 different devices a few times and the current 
LKRG logic is 'faster' and kills it correctly:

[Sun Jul 21 12:42:45 2019] IP: [<00000000004010f9>] 0x4010f9
[Sun Jul 21 12:42:45 2019] PGD 63130067 PUD 63035067 PMD 0 
[Sun Jul 21 12:42:45 2019] Oops: 0000 [#1] SMP
[Sun Jul 21 12:42:45 2019] Modules linked in: p_lkrg(OE) serio_raw hyperv_fb 
hv_balloon joydev ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp 
libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 
async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq 
libcrc32c raid1 raid0 multipath linear hid_generic crct10dif_pclmul 
crc32_pclmul hv_netvsc hv_storvsc hid_hyperv scsi_transport_fc hid 
hyperv_keyboard hv_utils ghash_clmulni_intel aesni_intel aes_x86_64 lrw 
glue_helper ablk_helper cryptd hv_vmbus
[Sun Jul 21 12:42:45 2019] CPU: 0 PID: 1717 Comm: poc Tainted: G           OE   
4.8.0-53-generic #56~16.04.1-Ubuntu
[Sun Jul 21 12:42:45 2019] Hardware name: Microsoft Corporation Virtual 
Machine/Virtual Machine, BIOS Hyper-V UEFI Release v3.0 03/02/2018
[Sun Jul 21 12:42:45 2019] task: ffff8e7ba5745b80 task.stack: ffff8e7bb107c000
[Sun Jul 21 12:42:45 2019] RIP: 0010:[<00000000004010f9>]  [<00000000004010f9>] 
0x4010f9
[Sun Jul 21 12:42:45 2019] RSP: 0018:ffff8e7bb107fba8  EFLAGS: 00010206
[Sun Jul 21 12:42:45 2019] RAX: 0000000000000030 RBX: ffff8e7bb2850f00 RCX: 
0000000000000000
[Sun Jul 21 12:42:45 2019] RDX: 0000000000038360 RSI: ffff8e7bb8a1c700 RDI: 
ffff8e7bbe806f80
[Sun Jul 21 12:42:45 2019] RBP: ffff8e7bb107fbd8 R08: 000000000001c700 R09: 
ffffffff8ba43444
[Sun Jul 21 12:42:45 2019] R10: ffffea0001c90600 R11: 0000000000000040 R12: 
ffff8e7bb2850f00
[Sun Jul 21 12:42:45 2019] R13: 0000000000000000 R14: ffff8e7ba54f5ec0 R15: 
00000000fffffff2
[Sun Jul 21 12:42:45 2019] FS:  00007f12806e2700(0000) 
GS:ffff8e7bb8a00000(0000) knlGS:0000000000000000
[Sun Jul 21 12:42:45 2019] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[Sun Jul 21 12:42:45 2019] CR2: 0000000000000030 CR3: 000000006564d000 CR4: 
00000000000406f0
[Sun Jul 21 12:42:45 2019] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 
0000000000000000
[Sun Jul 21 12:42:45 2019] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 
0000000000000400
[Sun Jul 21 12:42:45 2019] Stack:
[Sun Jul 21 12:42:45 2019]  ffffea000024cd40 0000000000000000 ffff8e7bb2850f00 
0000000000000000
[Sun Jul 21 12:42:45 2019]  ffff8e7ba54f5ec0 ababa8bdbacffe00 ffff8e7bb107fbe8 
00000000004011e1
[Sun Jul 21 12:42:45 2019]  ffff8e7bb107fc20 0000000000401270 ffffffff8bf6a134 
ffff8e7bb2850f00
[Sun Jul 21 12:42:45 2019] Call Trace:
[Sun Jul 21 12:42:45 2019]  [<ffffffff8bf6a134>] ? skb_release_data+0xf4/0x100
[Sun Jul 21 12:42:45 2019]  [<ffffffff8bfc5e93>] ? 
__ip_flush_pending_frames.isra.40+0x43/0x90
[Sun Jul 21 12:42:45 2019]  [<ffffffff8bf6a164>] ? skb_release_all+0x24/0x30
[Sun Jul 21 12:42:45 2019]  [<ffffffff8bf6a1c2>] ? kfree_skb+0x32/0x90
[Sun Jul 21 12:42:45 2019]  [<ffffffff8bfc5e93>] ? 
__ip_flush_pending_frames.isra.40+0x43/0x90
[Sun Jul 21 12:42:45 2019]  [<ffffffff8bfc74ac>] ? 
ip_flush_pending_frames+0x1c/0x20
[Sun Jul 21 12:42:45 2019]  [<ffffffff8bff102b>] ? udp_sendmsg+0x3eb/0xa80
[Sun Jul 21 12:42:45 2019]  [<ffffffff8bf8957c>] ? dst_alloc+0x4c/0xa0
[Sun Jul 21 12:42:45 2019]  [<ffffffff8bfc4410>] ? ip_reply_glue_bits+0x50/0x50
[Sun Jul 21 12:42:45 2019]  [<ffffffff8bfbe702>] ? 
__ip_route_output_key_hash+0x522/0x8d0
[Sun Jul 21 12:42:45 2019]  [<ffffffff8bffe5e5>] ? inet_sendmsg+0x65/0xa0
[Sun Jul 21 12:42:45 2019]  [<ffffffff8bf60a58>] ? sock_sendmsg+0x38/0x50
[Sun Jul 21 12:42:45 2019]  [<ffffffff8bf61061>] ? SYSC_sendto+0x101/0x190
[Sun Jul 21 12:42:45 2019]  [<ffffffff8bf66fb3>] ? sock_setsockopt+0x183/0x910
[Sun Jul 21 12:42:45 2019]  [<ffffffff8bb79e10>] ? 
selinux_socket_setsockopt+0x40/0x50
[Sun Jul 21 12:42:45 2019]  [<ffffffff8bf61bbe>] ? SyS_sendto+0xe/0x10
[Sun Jul 21 12:42:45 2019]  [<ffffffff8c09a876>] ? 
entry_SYSCALL_64_fastpath+0x1e/0xa8
[Sun Jul 21 12:42:45 2019] Code:  Bad RIP value.
[Sun Jul 21 12:42:45 2019] RIP  [<00000000004010f9>] 0x4010f9
[Sun Jul 21 12:42:45 2019]  RSP <ffff8e7bb107fba8>
[Sun Jul 21 12:42:45 2019] CR2: 0000000000000030
[Sun Jul 21 12:42:45 2019] ---[ end trace 6cd6ebea7f9da220 ]---
[Sun Jul 21 12:42:45 2019] [p_lkrg] ALERT !!! _STEXT MEMORY BLOCK HASH IS 
DIFFERENT - it is [0xd1a1315dcc0fb3eb] and should be [0x63c62b27e26ab3d7] !!!
[Sun Jul 21 12:42:45 2019] [p_lkrg] ALERT !!! SYSTEM HAS BEEN COMPROMISED - 
DETECTED DIFFERENT 1 CHECKSUMS !!!
[Sun Jul 21 12:42:45 2019] [p_lkrg] <Exploit Detection> SMEP was disabled! 
Enforcing SMEP now!

In case of locking global kernel text_mutex you will not only block LKRG but 
kernel itself. Idea is correct and we have documented this limitation in our 
presentation here:

https://www.openwall.com/presentations/CONFidence2018-LKRG-Under-The-Hood/slide-39.html


Thanks,
Adam


> Ilya
> 

-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.