Date: Sat, 17 Nov 2018 16:33:15 +0100 From: Adam Zabrocki <pi3@....com.pl> To: lkrg-users@...ts.openwall.com Subject: Re: LKRG Exploit Detection bypass (LOL) Hi On Sat, Nov 17, 2018 at 01:34:37PM +0100, Solar Designer wrote: > On Sat, Nov 17, 2018 at 10:41:35AM +0400, Ilya Matveychikov wrote: > > Fixed. See the latest commit. Now it works :) > > I haven't tried running this (I'm leaving that for Adam), but now it > looks like it'd work - you're actually calling usermodehelper, and you > no longer try using a +s shell script. Adam got another bypass using > usermodehelper working later yesterday, so this is enough for us to > confirm that yes, usermodehelper is a fairly easy bypass vector that > we'll consider patching. Thanks! > > Alexander Yes, I can confirm it is working, and yes I've got similar bypass yesterday (also using UMH - which is a problematic kernel functionality at first place). The good news is LKRG is are already plugged-in in that kernel code and we will expand our current capabilities to be able to block / limit this bypass. Nevertheless, it is very smart trick and big thanks for pointing that out! ;-) Goot job Ilya! Thanks, Adam -- pi3 (pi3ki31ny) - pi3 (at) itsec pl http://pi3.com.pl
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.