Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 9 Jul 2020 04:22:39 +0200
From: Adam Zabrocki <>
Subject: Re: <Exploit Detection> UMH is executing file from
 memory on Ubuntu 20.04


On Tue, Jul 07, 2020 at 10:32:26PM +0300, KOLANICH wrote:
> Hi everyone.
> Today I have noticed `<Exploit Detection> UMH is executing file from memory` message on Ubuntu 20.04 during boot (may be a result of zswap being enabled (this was the first reboot after I have enabled zswap), but I haven't tried to verify that).

Most likely it is some kind of eBPF / BPF executed and generated by netfilter 
(just guessing).

> 1. Can I make lkrg to dump the original binaries that are being loaded, i.e. by exposing them via a VFS, and other info about them, such as pids? Which fields of subprocess_info do I need for that?

It is possible. However, I'm not sure if we want to do it. Dumping such blob of 
memory requires to solve various additional problems as well.  Maybe I'm wrong 
and that's the right path to go (duming such memory)?

> 2. Can it also generate stack traces, to identify the modules that load them, on kernels available in release builds of distros?

No. UMH is executing from the workqueue so it won't be visible who tries to 
inject illegal binary / memory.
However, it is possible to provide a stack trace during the initialization of 
the UMH (before it is in the WQ). Nevertheless, it will print stack traces for 
all UMH request (also valid one, not just blocked one).

> 3. Why is execution of these processes not aborted, just a message logged, even without a mode to panic on it?

It is possible to configure LKRG to block such execution. Unless, it is being 
executed from the memory (not a file). In such case we don't provide any 
mechanism of blocking it. Mainly becuase of the compatibility reasons. All 
modern eBPFs might use such mechanism and some netfilters modules do that. 
Maybe we should change that behaviour?

> 4. Also I dislike a bit the way the processes are whitelisted. Is it possible to whitelist the binaries by their hashes and hashes of their dependencies (a kind of Merkle tree)? Or maybe by public keys of digital signatures embedded into the binaries?

In theory it is possible to have hash-based list. However, Linux Kernel IMA 
already provides such functionality. I'm not sure we want to reinvent such 
feature again...

P.S. You don't appear to be subscribed to the list.  I suggest that you do 
subscribe, so that you don't miss any other replies and can follow-up on those.


pi3 (pi3ki31ny) - pi3 (at) itsec pl

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.