Notify special task kill using wait* functions

Valdis Kl=?utf-8?Q?=c4=93?=tnieks valdis.kletnieks at vt.edu
Tue Apr 6 19:55:36 EDT 2021


On Mon, 05 Apr 2021 09:31:47 +0200, John Wood said:

> > And how does the kernel know that it's notifying a "real" supervisor process,
> > and not a process started by the bad guy, who can receive the notification
> > and decide to respawn?
> >
> Well, I think this is not possible to know. Anyway, I believe that the "bad
> guy" not rely on the wait* notification to decide to respawn or not. He
> will do the attack without waiting any notification.

You believe wrong. After my 4 decades of interacting with the computer security
community, the only thing that remains a constant is that if you say "I believe
that...", there will be *somebody* who will say "Challenge accepted" and try to
do the opposite just for the lulz. Then there will be a second guy saying "Hmm..
I wonder how much I could sell a 0-day for..."

If you provide a way for an attacker to "fly under the radar" (either by having
a hardcoded limit of SYSSEGV/minute that they can carefully limit themselves
to, or by letting them set up a "supervisor" process they can abuse, or any
other method), attackers *will* use it to prevent being detected.

That's the thing about computer security - you have to keep asking yourself
"how could the attacker abuse feature X to their benefit?"

It's probably *not* even safe to go and kill *all* processes running under the
same UID - because if you do that, and a code execution bug is found in the web
server software (or back-end stuff launched by it), you just provided an
attacker a free DoS of the webserver.

Remember - your attacker is somebody who can take a 1-byte buffer
overflow, and convert it into a complete root compromise of a system

If you think I'm kidding, go look at this paper that analyzes how to exploit
a bug in ntpd to get yourself a root shell from a remote system (or whatever
other code you want to run):

https://www.giac.org/paper/gcih/352/linux-ntpd-buffer-overflow/102270

Of course, that bug was in 2002, and the author had to hand-craft a lot of the
support framework. These days, the attacker would probably just craft a module
for Metasploit from the team at Rapid7  or other attack tool.  Yes, there's
open-source exploit tools out there...

See https://metasploit.com/ - or at least the YouTube demo

https://www.youtube.com/watch?v=cYtDxfKdlqs

Make note of how many Windows versions they tested against in the video.  And
if you don't watch, here's the backstory:  A crew call Shadowbroker hacked the
NSA and stole a huge collection of exploit tools and dumped them into the
public.  Somebody else took one of the exploit tools, figured out what it was
doing, and tossed a module over to the Metasploit crew - and now there's an
automated "type 3 lines to pwn the box" that's almost certainly easier to use
than the NSA version....

Now be glad that the guys at GIAC and Rapid7 are the good guys - but remember
that the black hats are at least as good, and have toolkits at least as good...



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20210406/23fe33b9/attachment.sig>


More information about the Kernelnewbies mailing list