kernelnewbies.kernelnewbies.org archive mirror
 help / color / mirror / Atom feed
From: "Valdis Klētnieks" <valdis.kletnieks@vt.edu>
To: John Wood <john.wood@gmx.com>
Cc: kernelnewbies@kernelnewbies.org
Subject: Re: Notify special task kill using wait* functions
Date: Tue, 06 Apr 2021 19:55:36 -0400	[thread overview]
Message-ID: <115437.1617753336@turing-police> (raw)
In-Reply-To: <20210405073147.GA3053@ubuntu>


[-- Attachment #1.1: Type: text/plain, Size: 2949 bytes --]

On Mon, 05 Apr 2021 09:31:47 +0200, John Wood said:

> > And how does the kernel know that it's notifying a "real" supervisor process,
> > and not a process started by the bad guy, who can receive the notification
> > and decide to respawn?
> >
> Well, I think this is not possible to know. Anyway, I believe that the "bad
> guy" not rely on the wait* notification to decide to respawn or not. He
> will do the attack without waiting any notification.

You believe wrong. After my 4 decades of interacting with the computer security
community, the only thing that remains a constant is that if you say "I believe
that...", there will be *somebody* who will say "Challenge accepted" and try to
do the opposite just for the lulz. Then there will be a second guy saying "Hmm..
I wonder how much I could sell a 0-day for..."

If you provide a way for an attacker to "fly under the radar" (either by having
a hardcoded limit of SYSSEGV/minute that they can carefully limit themselves
to, or by letting them set up a "supervisor" process they can abuse, or any
other method), attackers *will* use it to prevent being detected.

That's the thing about computer security - you have to keep asking yourself
"how could the attacker abuse feature X to their benefit?"

It's probably *not* even safe to go and kill *all* processes running under the
same UID - because if you do that, and a code execution bug is found in the web
server software (or back-end stuff launched by it), you just provided an
attacker a free DoS of the webserver.

Remember - your attacker is somebody who can take a 1-byte buffer
overflow, and convert it into a complete root compromise of a system

If you think I'm kidding, go look at this paper that analyzes how to exploit
a bug in ntpd to get yourself a root shell from a remote system (or whatever
other code you want to run):

https://www.giac.org/paper/gcih/352/linux-ntpd-buffer-overflow/102270

Of course, that bug was in 2002, and the author had to hand-craft a lot of the
support framework. These days, the attacker would probably just craft a module
for Metasploit from the team at Rapid7  or other attack tool.  Yes, there's
open-source exploit tools out there...

See https://metasploit.com/ - or at least the YouTube demo

https://www.youtube.com/watch?v=cYtDxfKdlqs

Make note of how many Windows versions they tested against in the video.  And
if you don't watch, here's the backstory:  A crew call Shadowbroker hacked the
NSA and stole a huge collection of exploit tools and dumped them into the
public.  Somebody else took one of the exploit tools, figured out what it was
doing, and tossed a module over to the Metasploit crew - and now there's an
automated "type 3 lines to pwn the box" that's almost certainly easier to use
than the NSA version....

Now be glad that the guys at GIAC and Rapid7 are the good guys - but remember
that the black hats are at least as good, and have toolkits at least as good...




[-- Attachment #1.2: Type: application/pgp-signature, Size: 832 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

  reply	other threads:[~2021-04-06 23:56 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-30 17:34 John Wood
2021-03-30 18:40 ` Valdis Klētnieks
2021-04-02 12:49   ` John Wood
2021-04-03  3:50     ` Valdis Klētnieks
2021-04-03  7:02       ` John Wood
2021-04-03 21:34         ` Valdis Klētnieks
2021-04-04  9:48           ` John Wood
2021-04-04 21:10             ` Valdis Klētnieks
2021-04-05  7:31               ` John Wood
2021-04-06 23:55                 ` Valdis Klētnieks [this message]
2021-04-07 17:51                   ` John Wood
2021-04-07 20:38                     ` Valdis Klētnieks
2021-04-08  1:51                       ` Andi Kleen
2021-04-09 14:29                         ` John Wood
2021-04-09 15:06                           ` Andi Kleen
2021-04-09 16:08                             ` John Wood
2021-04-09 23:28                             ` Valdis Klētnieks
2021-04-11  8:46                               ` John Wood

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=115437.1617753336@turing-police \
    --to=valdis.kletnieks@vt.edu \
    --cc=john.wood@gmx.com \
    --cc=kernelnewbies@kernelnewbies.org \
    --subject='Re: Notify special task kill using wait* functions' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).