Notify special task kill using wait* functions
valdis.kletnieks at vt.edu
Tue Apr 6 19:55:36 EDT 2021
On Mon, 05 Apr 2021 09:31:47 +0200, John Wood said:
> > And how does the kernel know that it's notifying a "real" supervisor process,
> > and not a process started by the bad guy, who can receive the notification
> > and decide to respawn?
> Well, I think this is not possible to know. Anyway, I believe that the "bad
> guy" not rely on the wait* notification to decide to respawn or not. He
> will do the attack without waiting any notification.
You believe wrong. After my 4 decades of interacting with the computer security
community, the only thing that remains a constant is that if you say "I believe
that...", there will be *somebody* who will say "Challenge accepted" and try to
do the opposite just for the lulz. Then there will be a second guy saying "Hmm..
I wonder how much I could sell a 0-day for..."
If you provide a way for an attacker to "fly under the radar" (either by having
a hardcoded limit of SYSSEGV/minute that they can carefully limit themselves
to, or by letting them set up a "supervisor" process they can abuse, or any
other method), attackers *will* use it to prevent being detected.
That's the thing about computer security - you have to keep asking yourself
"how could the attacker abuse feature X to their benefit?"
It's probably *not* even safe to go and kill *all* processes running under the
same UID - because if you do that, and a code execution bug is found in the web
server software (or back-end stuff launched by it), you just provided an
attacker a free DoS of the webserver.
Remember - your attacker is somebody who can take a 1-byte buffer
overflow, and convert it into a complete root compromise of a system
If you think I'm kidding, go look at this paper that analyzes how to exploit
a bug in ntpd to get yourself a root shell from a remote system (or whatever
other code you want to run):
Of course, that bug was in 2002, and the author had to hand-craft a lot of the
support framework. These days, the attacker would probably just craft a module
for Metasploit from the team at Rapid7 or other attack tool. Yes, there's
open-source exploit tools out there...
See https://metasploit.com/ - or at least the YouTube demo
Make note of how many Windows versions they tested against in the video. And
if you don't watch, here's the backstory: A crew call Shadowbroker hacked the
NSA and stole a huge collection of exploit tools and dumped them into the
public. Somebody else took one of the exploit tools, figured out what it was
doing, and tossed a module over to the Metasploit crew - and now there's an
automated "type 3 lines to pwn the box" that's almost certainly easier to use
than the NSA version....
Now be glad that the guys at GIAC and Rapid7 are the good guys - but remember
that the black hats are at least as good, and have toolkits at least as good...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 832 bytes
Desc: not available
More information about the Kernelnewbies