Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 17 Nov 2018 16:33:15 +0100
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com
Subject: Re: LKRG Exploit Detection bypass (LOL)

Hi

On Sat, Nov 17, 2018 at 01:34:37PM +0100, Solar Designer wrote:
> On Sat, Nov 17, 2018 at 10:41:35AM +0400, Ilya Matveychikov wrote:
> > Fixed. See the latest commit. Now it works :)
> 
> I haven't tried running this (I'm leaving that for Adam), but now it
> looks like it'd work - you're actually calling usermodehelper, and you
> no longer try using a +s shell script.  Adam got another bypass using
> usermodehelper working later yesterday, so this is enough for us to
> confirm that yes, usermodehelper is a fairly easy bypass vector that
> we'll consider patching.  Thanks!
> 
> Alexander

Yes, I can confirm it is working, and yes I've got similar bypass yesterday 
(also using UMH - which is a problematic kernel functionality at first place). 
The good news is LKRG is are already plugged-in in that kernel code and we 
will expand our current capabilities to be able to block / limit this bypass.

Nevertheless, it is very smart trick and big thanks for pointing that out! ;-)

Goot job Ilya!

Thanks,
Adam

-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.