Results 1 to 17 of 17
  1. #1
    Join Date
    Mar 2002
    Location
    Servers
    Posts
    806

    * noexec is no good

    At least on linux. Make your tmp or whatever as noexec and it can still be executed.

    /bin/sh /tmp/myhack

    another example:

    /usr/bin/perl /tmp/mybackdoor.pl

    So if you thought you just secured your /tmp folder by making it noexec, you did nothing

  2. #2
    Join Date
    Jan 2003
    Posts
    1,715
    No, it won't prevent scripting languages, but no one thing is a magic bullet. Just like removing the compilers, it won't stop everything, but it does kill a large swath of script kiddie exploits. If nothing else, you probably bought yourself some time, which can be a very valuable commodity.
    Game Servers are the next hot market!
    Slim margins, heavy support, fickle customers, and moronic suppliers!
    Start your own today!

  3. #3
    even binary can be executed from /tmp with noexec; noexec only protects from low-knowledged attacker.

    regards,
    M.
    Powered by AMD & FreeBSD.
    "Documentation is like sex:
    when it is good, it is very, very good;
    and when it is bad, it is better than nothing."

  4. #4
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,790
    Quoted from http://www.seifried.org/lasg/installation/:
    noexec, if you mount /tmp noexec for example you can copy a binary in, but it will not run, however if you execute it using ld-linux.so it will work fine:

    [[email protected] /tmp]$ ./date
    bash: ./date: Permission denied
    [[email protected] /tmp]$ /lib/ld-linux.so.2 ./date
    Thu Aug 24 21:59:08 MDT 2000
    [[email protected] /tmp]$
    In short, we are trying to add as many "layers" of protection to our system and none of each "layer" of protection can protect your system 100%
    Giam Teck Choon
    :: Join choon.net Community today to share your tips and tricks on server issues please ::
    :: Singapore Dedicated Servers :: Singapore Virtual Private Servers :: Linux/FreeBSD Server Management ::

  5. #5
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    "You cannot gain 100% security, you can however gain increased security. Only way to gain 100% security is to remove the internet, and lock it up in a safe where no one can get to it. But even then its not secure because someone could crack the safe."

    To quote me from another post
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  6. #6
    Join Date
    Mar 2002
    Location
    Servers
    Posts
    806
    [[email protected] /tmp]$ /lib/ld-linux.so.2 ./date
    Thu Aug 24 21:59:08 MDT 2000
    ^ this is said to be fixed in 2.6 kernel.

    You cannot gain 100% security
    that's not the issue. the issue is false sense of security

  7. #7
    Join Date
    Dec 2001
    Location
    Netherlands
    Posts
    780
    No server is 100% secure..
    and all we can do is try our best to secure it and use all available means

    We all die one day, but it does not mean we should stop eating, or breathing ..

    I was thinking ..

    can't we chmod 700 /lib/ld-linux.so.2?


    Experienced OpenStack Admin For Hire
    regular as admin0 on freenode IRC on #openstack and #openstack-ansible channels

  8. #8
    Join Date
    Mar 2002
    Location
    Servers
    Posts
    806
    chmod 700 /lib/ld-linux.so.2
    havn't seen if that would break anything or not (may be you can check and let us know ), but at the same time i have yet to see any script kiddie use it. the most common is

    /usr/bin/perl /tmp/mybackdoor.pl

    and

    /bin/bash /tmp/muhahaha

  9. #9
    Join Date
    Mar 2002
    Location
    Servers
    Posts
    806
    No server is 100% secure..
    Thanks for the news but for me this looks more like a security hole in linux...

    I have read elsewhere that kernel 2.6 does honour the noexec bit on other partitions. If that's true then that's the way to go.

    Can anyone with kernel 2.6 running machine try that and confirm? especially this type of execution:

    /usr/bin/perl /tmp/mybackdoor.pl
    (of course tmp partition need to be noexec)

    I don't have a spare machine right now for 2.6, poor me

  10. #10
    Originally posted by webx
    <snip> ..Can anyone with kernel 2.6 running machine try that and confirm? especially this type of execution:

    /usr/bin/perl /tmp/mybackdoor.pl
    (of course tmp partition need to be noexec)

    I don't have a spare machine right now for 2.6, poor me
    sorry for bringing up this old thread, but this is a very interesting question which has never been answered.

    does anybody can give an answer by now?

    thank you all.
    coma.

  11. #11
    Join Date
    Jan 2002
    Location
    UK
    Posts
    1,034
    like all other layers noexec is not a 100% lockdown, most people will know this so I dont see the point of this post, noexec protects against at least 1 type of exploit which makes it useful.
    Chris Collins
    Hostingfreak.net
    Directadmin Hosting in europe
    www.hostingfreak.net

  12. #12
    Join Date
    May 2004
    Posts
    394
    Originally posted by webx
    Thanks for the news but for me this looks more like a security hole in linux...

    I have read elsewhere that kernel 2.6 does honour the noexec bit on other partitions. If that's true then that's the way to go.

    Can anyone with kernel 2.6 running machine try that and confirm? especially this type of execution:

    /usr/bin/perl /tmp/mybackdoor.pl
    (of course tmp partition need to be noexec)

    I don't have a spare machine right now for 2.6, poor me
    I have tried this on server, running CentOS 3 with kernel 2.6.9:

    PHP Code:
    #pwd
    /tmp
    #./test.pl
    -bash: ./test.plPermission denied
    #perl /tmp/test.pl
    Hello World

    As you can see, that its the same with kernel 2.6.

  13. #13
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Your not going to block interperter based execution with noexec.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  14. #14
    Join Date
    Jun 2003
    Posts
    961
    since the topic is reopened
    Originally posted by admin0

    can't we chmod 700 /lib/ld-linux.so.2?
    i would not recommend it
    /lib/ld-linux.so.2 is a symlink to e.g. /lib/ld-2.2.5.so
    default permissions to that file on my box are 755,
    if you try 700, only root will be able to run commands (and login)
    other uses will get "Permission denied"
    so seems the file needs to be at least executable (e.g. 711)

  15. #15
    Originally posted by almahdi
    I have tried this on server, running CentOS 3 with kernel 2.6.9:

    PHP Code:
    #pwd
    /tmp
    #./test.pl
    -bash: ./test.plPermission denied
    #perl /tmp/test.pl
    Hello World

    As you can see, that its the same with kernel 2.6.
    thank you for testing this out!

    I think that the /tmp partition causes about 80% of all the problems with script kiddies which run their crap there..

    A solution which prevents the execution of perl and php in the /tmp partition could save a lot of trouble..
    so there should be a solution fo this, shouldn't it?

    I've heard that you can do this with grsecurity and acl's.

    I would appreciate if someone can give me some pointers or a how-to on how to do this..
    thanks in avance.
    coma.

  16. #16
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    A grsecurity acl howto.. cant really be tutorialized.. it has to be built on a per server basis.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  17. #17
    Join Date
    Jul 2004
    Location
    U.A.E >> Dubai
    Posts
    218
    Hello ,

    Even if you chmod binaries , Most binaries can be called because they are a shell builtin .


    mount it manually , loop , nodev,nosuid , good security steps,OS hardening, paths & Assign users to group with specific permissions .

    Another option to change the path of the mysql.sock in /etc/my.cnf, and set the correct permission of /tmp , should be set to 1777



    Regards,
    ٍSecurityWay.Net Managed Solutions
    Linux Security,Domain Registration Service,eNom Reseller Account from an ETP.
    http://domains.securityway.net/
    Believe an expert, believe on who has had experience.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •