Registration Weakness in Linux Kernel's Binary formats

Registration Weakness in Linux Kernel's Binary formats

[SHELLCODE Security Research]

Hello,
The present document aims to demonstrate a design weakness found in the
handling of simply 
linked   lists   used   to   register   binary   formats   handled   by
Linux   kernel,   and   affects   all   the   kernel families
(2.0/2.2/2.4/2.6), allowing the insertion of infection modules in
kernel­ space that can be used by malicious users to create infection
tools, for example rootkits.

POC, details and proposed solution at:
English version: http://www.shellcode.com.ar/docz/binfmt-en.pdf
Spanish version: http://www.shellcode.com.ar/docz/binfmt-es.pdf

regards,
--
SHELLCODE Security Research TEAM
GoodFellas@shellcode.com.ar
http://www.shellcode.com.ar

Re: Registration Weakness in Linux Kernel's Binary formats

[Chase Venters]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1246 bytes --]

On Tue, 3 Oct 2006, SHELLCODE Security Research wrote:

> Hello,
> The present document aims to demonstrate a design weakness found in the
> handling of simply
> linked   lists   used   to   register   binary   formats   handled   by
> Linux   kernel,   and   affects   all   the   kernel families
> (2.0/2.2/2.4/2.6), allowing the insertion of infection modules in
> kernel­ space that can be used by malicious users to create infection
> tools, for example rootkits.

So the problem you find is that newly registered binfmts are inserted into 
the front of the binfmt list instead of the rear, and this means that a 
binfmt handler can slip in at runtime at run quietly before any other 
handler?

I'm not sure I see this as a real problem. If you can load a module into 
kernel space and access arbitrary symbols (not to mention run in ring 0) I 
think you can do a lot more than just hide out on the binfmt list.

Am I missing something?

> POC, details and proposed solution at:
> English version: http://www.shellcode.com.ar/docz/binfmt-en.pdf
> Spanish version: http://www.shellcode.com.ar/docz/binfmt-es.pdf
>
> regards,
> --
> SHELLCODE Security Research TEAM
> GoodFellas@shellcode.com.ar
> http://www.shellcode.com.ar
>

Thanks,
Chase

Re: Registration Weakness in Linux Kernel's Binary formats

[Kyle Moffett]

On Oct 03, 2006, at 17:25:07, Bráulio Oliveira wrote:
> Just forwarding....

Well, you could have checked the list archives first to make sure the  
idiot didn't send it here himself.  Secondly if you're going to  
forward something like this best send it to security@kernel.org first.

Of course, it's partially the abovementioned idiot's fault for BCCing  
a mailing list and several others:
> To: undisclosed-recipients

> Hello,
> The present document aims to demonstrate a design weakness found in  
> the
> handling of simply linked   lists   used   to   register   binary    
> formats   handled   by Linux   kernel,   and   affects   all    
> the   kernel families (2.0/2.2/2.4/2.6), allowing the insertion of  
> infection modules in kernel  space that can be used by malicious  
> users to create infection tools, for example rootkits.

Would be nice if I could get to your paper to actually read it, but  
as it returns a 404 error I'm going to make one brief statement:

If you can load another binary format or access the "simply linked  
lists" of the binfmt chain in any way, then you're root and therefore  
there are easier ways to own the box than patching the kernel.

Cheers,
Kyle Moffett

Re: Registration Weakness in Linux Kernel's Binary formats

[Stephen Hemminger]

On Tue, 3 Oct 2006 17:53:30 -0400
Kyle Moffett <mrmacman_g4@mac.com> wrote:

> On Oct 03, 2006, at 17:25:07, Bráulio Oliveira wrote:
> > Just forwarding....
> 
> Well, you could have checked the list archives first to make sure the  
> idiot didn't send it here himself.  Secondly if you're going to  
> forward something like this best send it to security@kernel.org first.
> 
> Of course, it's partially the abovementioned idiot's fault for BCCing  
> a mailing list and several others:
> > To: undisclosed-recipients
> 
> > Hello,
> > The present document aims to demonstrate a design weakness found in  
> > the
> > handling of simply linked   lists   used   to   register   binary    
> > formats   handled   by Linux   kernel,   and   affects   all    
> > the   kernel families (2.0/2.2/2.4/2.6), allowing the insertion of  
> > infection modules in kernel  space that can be used by malicious  
> > users to create infection tools, for example rootkits.
> 
> Would be nice if I could get to your paper to actually read it, but  
> as it returns a 404 error I'm going to make one brief statement:
> 
> If you can load another binary format or access the "simply linked  
> lists" of the binfmt chain in any way, then you're root and therefore  
> there are easier ways to own the box than patching the kernel.
> 
> Cheers,
> Kyle Moffett

I looked at it, basically his argument which is all flowered up in pretty
pictures and security vulnerability language is:

   If root loads a buggy module then the module can be used to compromise
   the system.

Well isn't that surprising.

-- 
Stephen Hemminger <shemminger@osdl.org>

Re: Registration Weakness in Linux Kernel's Binary formats

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 553 bytes --]

On Tue, 03 Oct 2006 14:59:54 PDT, Stephen Hemminger said:

> I looked at it, basically his argument which is all flowered up in pretty
> pictures and security vulnerability language is:
> 
>    If root loads a buggy module then the module can be used to compromise
>    the system.
> 
> Well isn't that surprising.

Big yawner.  Now if the claim had been that a properly buggy module, inserted
under a certain set of circumstances, got onto the binfmt list *even when the
process loading it wasn't root*, now *that* would be an exploit....

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: Registration Weakness in Linux Kernel's Binary formats

[Alan Cox]

Ar Maw, 2006-10-03 am 16:48 -0500, ysgrifennodd Chase Venters:
> So the problem you find is that newly registered binfmts are inserted into 
> the front of the binfmt list instead of the rear, and this means that a 
> binfmt handler can slip in at runtime at run quietly before any other 
> handler?

This is a feature as anyone trying to debug versions of the elf loader
could would find out quite fast.

> 
> I'm not sure I see this as a real problem. If you can load a module into 
> kernel space and access arbitrary symbols (not to mention run in ring 0) I 
> think you can do a lot more than just hide out on the binfmt list.
> 
> Am I missing something?

Don't think so. At the point you can load code into the kernel you can
replace any code anyway.

NOTABUG

Alan

Re: Registration Weakness in Linux Kernel's Binary formats

[Chase Venters]

On Tuesday 03 October 2006 14:12, SHELLCODE Security Research wrote:
> Hello,
> The present document aims to demonstrate a design weakness found in the
> handling of simply
> linked   lists   used   to   register   binary   formats   handled   by
> Linux   kernel,   and   affects   all   the   kernel families
> (2.0/2.2/2.4/2.6), allowing the insertion of infection modules in
> kernel­ space that can be used by malicious users to create infection
> tools, for example rootkits.

Yay, you've been Slashdotted!

Question: Why did you personally submit this to Slashdot when it is absolutely 
clear that the observation is akin to figuring out a process can call fork() 
and exec() and become "/bin/rm" with an argv of "/bin/rm", "-rf", and "*"?

Is this what you call good marketing?

> POC, details and proposed solution at:
> English version: http://www.shellcode.com.ar/docz/binfmt-en.pdf
> Spanish version: http://www.shellcode.com.ar/docz/binfmt-es.pdf
>

Thanks,
Chase

Re: Registration Weakness in Linux Kernel's Binary formats

[Julio Auto]

I sincerely think you're all missing the point here.

The observation is in fact something that can be used by rootkit
writers or developers of other forms of malware. Meaning that this is
always something else that people who work to make Linux a safer
environment will have to watch and look for (think of rootkit
detectors, for an example). I'm glad they've reported it, as someone
might be using it already for God knows how long. All very stealthy.
All I can think is that this is a very good opportunity for us to
rethink some designs and see if a little bit of effort wouldn't be
worth the advantages a patch might bring.

Don't get me wrong. I truly appreciate the freedom that Linux
provides, but this "well, root should be able to do anything, anyway"
mentality won't get this OS anywhere security-wise. If everyone
thought like that, then I'd guess that sys_call_table would be an
exported symbol until now, linux-gate wouldn't be randomized, and so
on.

Just a thought.

Cheers,

    Julio Auto

On 10/4/06, Chase Venters <chase.venters@clientec.com> wrote:
> On Tuesday 03 October 2006 14:12, SHELLCODE Security Research wrote:
> > Hello,
> > The present document aims to demonstrate a design weakness found in the
> > handling of simply
> > linked   lists   used   to   register   binary   formats   handled   by
> > Linux   kernel,   and   affects   all   the   kernel families
> > (2.0/2.2/2.4/2.6), allowing the insertion of infection modules in
> > kernel­ space that can be used by malicious users to create infection
> > tools, for example rootkits.
>
> Yay, you've been Slashdotted!
>
> Question: Why did you personally submit this to Slashdot when it is absolutely
> clear that the observation is akin to figuring out a process can call fork()
> and exec() and become "/bin/rm" with an argv of "/bin/rm", "-rf", and "*"?
>
> Is this what you call good marketing?
>
> > POC, details and proposed solution at:
> > English version: http://www.shellcode.com.ar/docz/binfmt-en.pdf
> > Spanish version: http://www.shellcode.com.ar/docz/binfmt-es.pdf
> >
>
> Thanks,
> Chase
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

Re: Registration Weakness in Linux Kernel's Binary formats

[Chase Venters]

On Tuesday 03 October 2006 23:08, Julio Auto wrote:
> I sincerely think you're all missing the point here.
>
> The observation is in fact something that can be used by rootkit
> writers or developers of other forms of malware. Meaning that this is
> always something else that people who work to make Linux a safer
> environment will have to watch and look for (think of rootkit
> detectors, for an example). I'm glad they've reported it, as someone
> might be using it already for God knows how long. All very stealthy.
> All I can think is that this is a very good opportunity for us to
> rethink some designs and see if a little bit of effort wouldn't be
> worth the advantages a patch might bring.
>
> Don't get me wrong. I truly appreciate the freedom that Linux
> provides, but this "well, root should be able to do anything, anyway"
> mentality won't get this OS anywhere security-wise. If everyone
> thought like that, then I'd guess that sys_call_table would be an
> exported symbol until now, linux-gate wouldn't be randomized, and so
> on.

Julio,
	No one is trying to paper over any real problem here. This attack relies on 
being able to insert an arbitrary kernel module into the running kernel. If 
you can do that, you can literally load _any_ code you want. Attaching to the 
binfmt callback list is one of about a billion things you could do.
	If you're worried about this kind of attack, the only way to be safe is to 
turn off kernel module support or use another mechanism to restrict who can 
load them.
	I think it's a little bit silly for a "security researcher" to simultaneously 
publish stuff in the news and in a developer community, especially if the 
threat is totally phony to begin with.

> Just a thought.
>
> Cheers,
>
>     Julio Auto

Thanks,
Chase

> On 10/4/06, Chase Venters <chase.venters@clientec.com> wrote:
> > On Tuesday 03 October 2006 14:12, SHELLCODE Security Research wrote:
> > > Hello,
> > > The present document aims to demonstrate a design weakness found in the
> > > handling of simply
> > > linked   lists   used   to   register   binary   formats   handled   by
> > > Linux   kernel,   and   affects   all   the   kernel families
> > > (2.0/2.2/2.4/2.6), allowing the insertion of infection modules in
> > > kernel­ space that can be used by malicious users to create infection
> > > tools, for example rootkits.
> >
> > Yay, you've been Slashdotted!
> >
> > Question: Why did you personally submit this to Slashdot when it is
> > absolutely clear that the observation is akin to figuring out a process
> > can call fork() and exec() and become "/bin/rm" with an argv of
> > "/bin/rm", "-rf", and "*"?
> >
> > Is this what you call good marketing?
> >
> > > POC, details and proposed solution at:
> > > English version: http://www.shellcode.com.ar/docz/binfmt-en.pdf
> > > Spanish version: http://www.shellcode.com.ar/docz/binfmt-es.pdf
> >
> > Thanks,
> > Chase
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel"
> > in the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at  http://www.tux.org/lkml/
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: Registration Weakness in Linux Kernel's Binary formats

[Kyle Moffett]

On Oct 04, 2006, at 00:08:57, Julio Auto wrote:
> I sincerely think you're all missing the point here.

No, _you're_ missing the point.

> The observation is in fact something that can be used by rootkit  
> writers or developers of other forms of malware.

This attack relies on being able to load an arbitrary attacker- 
defined kernel module.  Full Stop.  If you can load code into  
privileged mode it's game over regardless of what other designs and  
restrictions are in place.  The "default" security model is that only  
root can load kernel code, but using SELinux or other methods it's  
possible to entirely prevent anything from being loaded after system  
boot or written to the kernel or bootloader images.

If the attacker gains kernel code access, it doesn't matter what  
"simply linked list" or whatever other garbage is being used, they  
can just overwrite the existing ELF loader with their shellcode if  
they want.  Or they could insert a filesystem patch which always  
loads a virus into any ELF binary at load.  Or they could just fork a  
kernel thread and run their shellcode there.  Or they could load a  
copy of Windows from the CD drive and boot into that from Linux.

Kernel-level access implies ultimate trust and security, and  
*nothing* is going to change that.

Cheers,
Kyle Moffett

Re: Registration Weakness in Linux Kernel's Binary formats

[Peter Read]

I'm thinking of starting a 'security research' firm and pointing out
that if you can physically swap the boot device on a machine and
reboot you can run 'arbitrary code'.

I might also point out the new boot device could have NetBSD on it,
and gloss over the hundreds of other things that would be both
possible and expectedly so...

On 04/10/06, Kyle Moffett <mrmacman_g4@mac.com> wrote:
> On Oct 04, 2006, at 00:08:57, Julio Auto wrote:
> > I sincerely think you're all missing the point here.
>
> No, _you're_ missing the point.
>
> > The observation is in fact something that can be used by rootkit
> > writers or developers of other forms of malware.
>
> This attack relies on being able to load an arbitrary attacker-
> defined kernel module.  Full Stop.  If you can load code into
> privileged mode it's game over regardless of what other designs and
> restrictions are in place.  The "default" security model is that only
> root can load kernel code, but using SELinux or other methods it's
> possible to entirely prevent anything from being loaded after system
> boot or written to the kernel or bootloader images.
>
> If the attacker gains kernel code access, it doesn't matter what
> "simply linked list" or whatever other garbage is being used, they
> can just overwrite the existing ELF loader with their shellcode if
> they want.  Or they could insert a filesystem patch which always
> loads a virus into any ELF binary at load.  Or they could just fork a
> kernel thread and run their shellcode there.  Or they could load a
> copy of Windows from the CD drive and boot into that from Linux.
>
> Kernel-level access implies ultimate trust and security, and
> *nothing* is going to change that.
>
> Cheers,
> Kyle Moffett
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>

Re: Registration Weakness in Linux Kernel's Binary formats

[Xavier Bestel]

On Wed, 2006-10-04 at 15:55 +0100, Alan Cox wrote:
> Ar Maw, 2006-10-03 am 23:25 -0500, ysgrifennodd Chase Venters:
> > 	I think it's a little bit silly for a "security researcher" to simultaneously 
> > publish stuff in the news and in a developer community, especially if the 
> > threat is totally phony to begin with.
> 
> Given the way it was carefully fed to slashdot I suspect it may in fact
> be someone with brains who wanted to make slashdot look stupid and spoof
> them. If so they certainly scored 10/10 on that.

Brains are required to make slashdot look stupid ?

Re: Registration Weakness in Linux Kernel's Binary formats

[Alan Cox]

Ar Maw, 2006-10-03 am 23:25 -0500, ysgrifennodd Chase Venters:
> 	I think it's a little bit silly for a "security researcher" to simultaneously 
> publish stuff in the news and in a developer community, especially if the 
> threat is totally phony to begin with.

Given the way it was carefully fed to slashdot I suspect it may in fact
be someone with brains who wanted to make slashdot look stupid and spoof
them. If so they certainly scored 10/10 on that.