On Mon, 05 Apr 2021 09:31:47 +0200, John Wood said: > > And how does the kernel know that it's notifying a "real" supervisor process, > > and not a process started by the bad guy, who can receive the notification > > and decide to respawn? > > > Well, I think this is not possible to know. Anyway, I believe that the "bad > guy" not rely on the wait* notification to decide to respawn or not. He > will do the attack without waiting any notification. You believe wrong. After my 4 decades of interacting with the computer security community, the only thing that remains a constant is that if you say "I believe that...", there will be *somebody* who will say "Challenge accepted" and try to do the opposite just for the lulz. Then there will be a second guy saying "Hmm.. I wonder how much I could sell a 0-day for..." If you provide a way for an attacker to "fly under the radar" (either by having a hardcoded limit of SYSSEGV/minute that they can carefully limit themselves to, or by letting them set up a "supervisor" process they can abuse, or any other method), attackers *will* use it to prevent being detected. That's the thing about computer security - you have to keep asking yourself "how could the attacker abuse feature X to their benefit?" It's probably *not* even safe to go and kill *all* processes running under the same UID - because if you do that, and a code execution bug is found in the web server software (or back-end stuff launched by it), you just provided an attacker a free DoS of the webserver. Remember - your attacker is somebody who can take a 1-byte buffer overflow, and convert it into a complete root compromise of a system If you think I'm kidding, go look at this paper that analyzes how to exploit a bug in ntpd to get yourself a root shell from a remote system (or whatever other code you want to run): https://www.giac.org/paper/gcih/352/linux-ntpd-buffer-overflow/102270 Of course, that bug was in 2002, and the author had to hand-craft a lot of the support framework. These days, the attacker would probably just craft a module for Metasploit from the team at Rapid7 or other attack tool. Yes, there's open-source exploit tools out there... See https://metasploit.com/ - or at least the YouTube demo https://www.youtube.com/watch?v=cYtDxfKdlqs Make note of how many Windows versions they tested against in the video. And if you don't watch, here's the backstory: A crew call Shadowbroker hacked the NSA and stole a huge collection of exploit tools and dumped them into the public. Somebody else took one of the exploit tools, figured out what it was doing, and tossed a module over to the Metasploit crew - and now there's an automated "type 3 lines to pwn the box" that's almost certainly easier to use than the NSA version.... Now be glad that the guys at GIAC and Rapid7 are the good guys - but remember that the black hats are at least as good, and have toolkits at least as good...
Attachment:
pgpC79UKby8oK.pgp
Description: PGP signature
_______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies