[Info-vax] Malware in kernel mode, was: Re: Android development Was Re: OT: Larry Ellison takes retirement as CEO of Oracle

Paul Sture nospam at sture.ch
Fri Sep 26 10:25:00 EDT 2014 

On 2014-09-26, Stephen Hoffman <seaohveh at hoffmanlabs.invalid> wrote:
>
> Web server attacks are seldom specifically targeting enhanced web 
> server process privileges — Apache isn't configured and running as root 
> on any sane Unix platform, either.  These attacks generally seek the 
> ability to execute an attacker's code in the context of the target 
> server, which can then allow further exploration, exploitation and 
> (potentially) privilege escalation.
>
> Apache often has enough access to run code (hopefully you've already 
> reviewed your Unix servers for web-facing bash scripts; but I digress), 
> and more than a few servers have Apache-writable web server directories 
> configured.  If an attacker can upload or can create a program and then 
> invoke it on the target server, it's "%SYSTEM-F-GAMEOVER, all your base 
> are belong to us".

It's probably not a bad idea to review Jean-Loup Gailly's report on
WASD security, coincidentally dated 12 years ago yesterday:

<http://gailly.net/security/wasd-vuln-2002-09.txt>

Here I'll take the opportunity to note aa couple of observations from
using a shared web hosting solution back in 2010.

a) /tmp was shared by multiple hosted accounts.  You could see various
   files belongng to other folks there, mostly images of watches when
   I looked.  Data leakage...  The thing to do with Drupal was to
   create your own private directories for temporary files, but this
   capability might not be present in other CMS products.

b) Unix usernames were allocated such that site example.com would
   get username examplecom.  Yes they did tighten up the ps command
   eventually so you couldn't see the other sharing the same system
   with that command, but you could still peek inside /tmp.

Users taking the base package without ssh access would have been
unaware of either form of of data leakage.

Another hazard I learned of with shared web hosting was that of
allowing Apache to follow symlinks; with those enabled it only
takes seconds for someone who has gained elevated access to replace
one of your files with something sitting in their own directory tree.

The hosting solution I was using disabled these by default, which
broke Drupal (the fix was to amend the Drupal .htaccess file as
follows:

#Options +FollowSymLinks  - Apache config disallows this
Options +SymLinksIfOwnerMatch


> Apache also has enough access to view and variously modify data stored 
> in web-facing databases, and more than a few folks still don't 
> parameterize their SQL processing, for instance.
>
> VMS defenses against local stack and heap smashing attacks are 
> comparatively weak, with no-execute stack and heap available only on 
> OpenVMS I64 V8.2 and later, and with VMS entirely lacking ASLR and 
> jails/sandboxes.  While neither no-execute nor ASLR nor jails/sandboxes 
> are particularly reliable defenses, they do make it more likely the 
> attacker will crash something and the activities then be logged and/or 
> detected, or that the attacker will require knowledge of several 
> different vulnerabilities.
>
> Arguably, the Itanium separation of program control and user data and 
> its associated register-spilling shenanigans are a better defense 
> against typical sorts of stack smashing than the mixed-usage stack 
> within the architectures of Alpha and VAX, too.

Alpha and Itanium got an honourable mention in the OmniUnpack paper
I linked to at:

<http://labs.hoffmanlabs.com/node/1214#comment-3136>

(PDF page 5) 
"Many hardware architectures (e.g., Intel IA-64, Sun Sparc, Alpha) offer
facilities to enforce the W ⊕ X policy through support for read, write,
and execute per- missions at the page level. Unfortunately, the architec-
ture targeted by the vast majority of malicious programs (Intel IA-32)
lacks such facilities."

Sparc is the only other one that gets a mention; we know the fates of
Alpha and Itanium, I haven't a clue about Sparc but I don't see a rush
back to its former popularity.

-- 
A quick recap of Thursday 25th September 2014:
http://pbs.twimg.com/media/ByZfyyXIQAAXTai.jpg
Happy Thursday!

More information about the Info-vax mailing list