Date: Thu, 9 Jul 2020 04:22:39 +0200 From: Adam Zabrocki <pi3@....com.pl> To: lkrg-users@...ts.openwall.com Cc: KOLANICH <kolan_n@...l.ru> Subject: Re: <Exploit Detection> UMH is executing file from memory on Ubuntu 20.04 Hi, On Tue, Jul 07, 2020 at 10:32:26PM +0300, KOLANICH wrote: > Hi everyone. > > Today I have noticed `<Exploit Detection> UMH is executing file from memory` message on Ubuntu 20.04 during boot (may be a result of zswap being enabled (this was the first reboot after I have enabled zswap), but I haven't tried to verify that). Most likely it is some kind of eBPF / BPF executed and generated by netfilter (just guessing). > > 1. Can I make lkrg to dump the original binaries that are being loaded, i.e. by exposing them via a VFS, and other info about them, such as pids? Which fields of subprocess_info do I need for that? It is possible. However, I'm not sure if we want to do it. Dumping such blob of memory requires to solve various additional problems as well. Maybe I'm wrong and that's the right path to go (duming such memory)? > 2. Can it also generate stack traces, to identify the modules that load them, on kernels available in release builds of distros? No. UMH is executing from the workqueue so it won't be visible who tries to inject illegal binary / memory. However, it is possible to provide a stack trace during the initialization of the UMH (before it is in the WQ). Nevertheless, it will print stack traces for all UMH request (also valid one, not just blocked one). > 3. Why is execution of these processes not aborted, just a message logged, even without a mode to panic on it? It is possible to configure LKRG to block such execution. Unless, it is being executed from the memory (not a file). In such case we don't provide any mechanism of blocking it. Mainly becuase of the compatibility reasons. All modern eBPFs might use such mechanism and some netfilters modules do that. Maybe we should change that behaviour? > 4. Also I dislike a bit the way the processes are whitelisted. Is it possible to whitelist the binaries by their hashes and hashes of their dependencies (a kind of Merkle tree)? Or maybe by public keys of digital signatures embedded into the binaries? In theory it is possible to have hash-based list. However, Linux Kernel IMA already provides such functionality. I'm not sure we want to reinvent such feature again... P.S. You don't appear to be subscribed to the list. I suggest that you do subscribe, so that you don't miss any other replies and can follow-up on those. Thanks, Adam -- pi3 (pi3ki31ny) - pi3 (at) itsec pl http://pi3.com.pl
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.