grsecurity forums

by **hexa** » Tue Dec 17, 2002 7:08 pm

I wonder what developers of grsecurity think about saint jude's method for detecting improper or unauthorized privilege transitions within the UNIX environment.

Is it better if one uses grsecurity without ACLs or saint jude module?

Any1 is using both at the same time? Is it even possible?

Tanx for info.

Oh, and BTW saint jude's url:
http://www.wwjh.net/StJude/index.html

by **spender** » Tue Dec 17, 2002 10:28 pm

I've given the code and the design specs a cursory look. The protection it provides is pretty weak. Firstly, the whole design is geared around stopping exploits that exec a rootshell. I don't see anything in here that restricts anything in the process other than execve. It has problems with its runtime memory allocation...basically if you load up the memory on the system high enough, it won't be able to apply its rules, and you can get away scott-free. execve() isn't the only method of transferring privilege...there's many more, and they can all be done in shellcode. The attempt to protect the kernel from modification is weak also, and easily bypassed, as it only checks a few things for modification. It also doesn't stop an attacker from doing anything once he is root. So you can run StJude and think you're secure, but you'll never know, as there's nothing stopping the attacker from covering their tracks.

-Brad

by **spender** » Wed Dec 18, 2002 9:57 am

For example, here's a simple way to bypass StJude, taking advantage of one of the many flaws in its design:

In your shellcode, before calling execve(), use prctl() to set the keep_capabilities flag on the task, and then call setuid() to a non-0 uid, then call execve() to execute your rootshell (you won't have uid 0, but it will only take a second after you have your shell to gain that, as you have all of root's capabilities)

-Brad

by **hexa** » Wed Dec 18, 2002 5:32 pm

tanx for the info.
;-)