Re: (c 5.6) Running 2 versions of Apache ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

> On Mon, Aug 29, 2011 at 4:57 PM, Corey Henderson <corman@xxxxxxxxxxxxx>
> wrote:
>>> You  can avoid a lot of the problems by making sure
>>> that apache can't write anywhere that is mounted with execute
>>> capability.
>>>
>>
>> Or install a security module to do that for you. One that I've written
>> that is nearing the end of its beta:
>>
>> https://github.com/cormander/tpe-lkm
>>
>> In some cases, you can even tell it to let apache not exec anything at
>> all, if you're not running cgi scripts or bytecode php deployments
>> (zend,
>> etc).
>>
>
> Would it have blocked this widely known/used vulnerability?
> http://seclists.org/fulldisclosure/2010/Oct/257
>

Yes, because you've created the file you're executing:

$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
$ ls -l /tmp/exploit
-rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit*

# Now force the link in /proc to load $ORIGIN via LD_AUDIT.
$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3

The attempt fails as designed by tpe. I've specifically tested this one.

It also stops the trick of using ld-x.x.so to execute binaries, because
mmap and mprotect are also checked in addition to execve.

Tested on both CentOS 5 & 6. Haven't bothered testing it on 4 since it's
close to EOL.

--
Corey


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux