Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <7860E358-FDE5-48A5-AF70-A2521E0DB0FD@mail.ru>
Date: Tue, 07 Jul 2020 22:32:26 +0300
From: KOLANICH <kolan_n@...l.ru>
To: lkrg-users@...ts.openwall.com
Subject: <Exploit Detection> UMH is executing file from memory on Ubuntu 20.04

Hi everyone.

Today I have noticed `<Exploit Detection> UMH is executing file from memory` message on Ubuntu 20.04 during boot (may be a result of zswap being enabled (this was the first reboot after I have enabled zswap), but I haven't tried to verify that).

1. Can I make lkrg to dump the original binaries that are being loaded, i.e. by exposing them via a VFS, and other info about them, such as pids? Which fields of subprocess_info do I need for that?
2. Can it also generate stack traces, to identify the modules that load them, on kernels available in release builds of distros?
3. Why is execution of these processes not aborted, just a message logged, even without a mode to panic on it?
4. Also I dislike a bit the way the processes are whitelisted. Is it possible to whitelist the binaries by their hashes and hashes of their dependencies (a kind of Merkle tree)? Or maybe by public keys of digital signatures embedded into the binaries?

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.