Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 21 Feb 2019 04:02:48 +0400
From: Ilya Matveychikov <matvejchikov@...il.com>
To: lkrg-users@...ts.openwall.com
Subject: Re: LKRG 6.0 Exploit Detection bypass

One more ED bypass:
 - (5) LKRG ED bypass by disabling kprobes (patching the kernel)

https://github.com/milabs/kernel-exploits/commit/a19d1d80e3e1fe10da6ccc6f5c296a94912e506b


> On Feb 20, 2019, at 9:43 AM, Ilya Matveychikov <matvejchikov@...il.com> wrote:
> 
> Hello,
> 
> I’d like to show few more exploit detection bypass techniques:
> https://github.com/milabs/kernel-exploits/commit/6bd99d97c3f99a0a743a012b9cb90fb2fe1c0970
> 
> By this commit we have the list of following:
> - (1) LKRG ED bypass using UMH and chmod + chwon, the very first bypass
> - (2) LKRG ED bypass by owerwriting inode->i_{uid,gid,mode} using simple_setattr()
> - (3) LKRG ED bypass by owerwriting inode->i_{uid,gid,mode} directly
> - (4) LKRG ED bypass by unlocking "UMH lock down" with LD_PRELOAD
> - LKRG "poor man's CFI" bypass
> 
> (1) and (2) were introduced few months before.
> 
> (3) is the improvement of (2) which uses DKOM technique to manipulate inode
> directly without being detected by simple_setattr() hook.
> 
> (4) is the bypass of "UMH locking by using whitelist of programs" which basically
> allows one to use LD_PRELOAD to inject his payload to /sbin/modprobe or similar.
> 
> Since the use of (3) and (4) is locked by pCFI (poor man's Control Flow Integrity)
> mitigation introduced in LKRG 6.0 I had to add the “rich man’s CFI bypass” which
> wraps calls to all of the listed bypasses with 2 macros which are actually fakes
> the call stack for the time of exploitation so LKRG could not see this.
> 
> Ilya
> 

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.