From: "Valdis Klētnieks" <valdis.kletnieks@vt.edu>
To: John Wood <john.wood@gmx.com>
Cc: kernelnewbies@kernelnewbies.org
Subject: Re: Notify special task kill using wait* functions
Date: Tue, 06 Apr 2021 19:55:36 -0400 [thread overview]
Message-ID: <115437.1617753336@turing-police> (raw)
In-Reply-To: <20210405073147.GA3053@ubuntu>
[-- Attachment #1.1: Type: text/plain, Size: 2949 bytes --]
On Mon, 05 Apr 2021 09:31:47 +0200, John Wood said:
> > And how does the kernel know that it's notifying a "real" supervisor process,
> > and not a process started by the bad guy, who can receive the notification
> > and decide to respawn?
> >
> Well, I think this is not possible to know. Anyway, I believe that the "bad
> guy" not rely on the wait* notification to decide to respawn or not. He
> will do the attack without waiting any notification.
You believe wrong. After my 4 decades of interacting with the computer security
community, the only thing that remains a constant is that if you say "I believe
that...", there will be *somebody* who will say "Challenge accepted" and try to
do the opposite just for the lulz. Then there will be a second guy saying "Hmm..
I wonder how much I could sell a 0-day for..."
If you provide a way for an attacker to "fly under the radar" (either by having
a hardcoded limit of SYSSEGV/minute that they can carefully limit themselves
to, or by letting them set up a "supervisor" process they can abuse, or any
other method), attackers *will* use it to prevent being detected.
That's the thing about computer security - you have to keep asking yourself
"how could the attacker abuse feature X to their benefit?"
It's probably *not* even safe to go and kill *all* processes running under the
same UID - because if you do that, and a code execution bug is found in the web
server software (or back-end stuff launched by it), you just provided an
attacker a free DoS of the webserver.
Remember - your attacker is somebody who can take a 1-byte buffer
overflow, and convert it into a complete root compromise of a system
If you think I'm kidding, go look at this paper that analyzes how to exploit
a bug in ntpd to get yourself a root shell from a remote system (or whatever
other code you want to run):
https://www.giac.org/paper/gcih/352/linux-ntpd-buffer-overflow/102270
Of course, that bug was in 2002, and the author had to hand-craft a lot of the
support framework. These days, the attacker would probably just craft a module
for Metasploit from the team at Rapid7 or other attack tool. Yes, there's
open-source exploit tools out there...
See https://metasploit.com/ - or at least the YouTube demo
https://www.youtube.com/watch?v=cYtDxfKdlqs
Make note of how many Windows versions they tested against in the video. And
if you don't watch, here's the backstory: A crew call Shadowbroker hacked the
NSA and stole a huge collection of exploit tools and dumped them into the
public. Somebody else took one of the exploit tools, figured out what it was
doing, and tossed a module over to the Metasploit crew - and now there's an
automated "type 3 lines to pwn the box" that's almost certainly easier to use
than the NSA version....
Now be glad that the guys at GIAC and Rapid7 are the good guys - but remember
that the black hats are at least as good, and have toolkits at least as good...
[-- Attachment #1.2: Type: application/pgp-signature, Size: 832 bytes --]
[-- Attachment #2: Type: text/plain, Size: 170 bytes --]
_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
next prev parent reply other threads:[~2021-04-06 23:56 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-30 17:34 Notify special task kill using wait* functions John Wood
2021-03-30 18:40 ` Valdis Klētnieks
2021-04-02 12:49 ` John Wood
2021-04-03 3:50 ` Valdis Klētnieks
2021-04-03 7:02 ` John Wood
2021-04-03 21:34 ` Valdis Klētnieks
2021-04-04 9:48 ` John Wood
2021-04-04 21:10 ` Valdis Klētnieks
2021-04-05 7:31 ` John Wood
2021-04-06 23:55 ` Valdis Klētnieks [this message]
2021-04-07 17:51 ` John Wood
2021-04-07 20:38 ` Valdis Klētnieks
2021-04-08 1:51 ` Andi Kleen
2021-04-09 14:29 ` John Wood
2021-04-09 15:06 ` Andi Kleen
2021-04-09 16:08 ` John Wood
2021-04-09 23:28 ` Valdis Klētnieks
2021-04-11 8:46 ` John Wood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=115437.1617753336@turing-police \
--to=valdis.kletnieks@vt.edu \
--cc=john.wood@gmx.com \
--cc=kernelnewbies@kernelnewbies.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).