Kconfig: Make config Filter access to /dev/mem default y
in [Kernel]
|
From: Xiaotian Feng on 15 Apr 2010 02:20 On Tue, Apr 13, 2010 at 10:52 AM, <wzt.wzt(a)gmail.com> wrote: > Recently, most company start use >=2.6.31 kernels to replace redhat kernels. > But the config "Filter access to /dev/mem" is "default n", that allows kernel > rootkit using /dev/mem again. it could access all kernel memory default. Most > administrator don't known the "Filter access to /dev/mem" is "defult N", when > he compiles the kernel, it's easily to be attacked by rootkit. Have you ever successfully attack by this way? If CONFIG_STRICT_DEVMEM is not set, the /dev/mem access is filtered in pat code. > > Signed-off-by: Zhitong Wang <zhitong.wangzt(a)alibaba-inc.com> > > --- > arch/x86/Kconfig.debug | 3 ++- > arch/x86/configs/i386_defconfig | 2 +- > arch/x86/configs/x86_64_defconfig | 2 +- > 3 files changed, 4 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug > index bc01e3e..733aea6 100644 > --- a/arch/x86/Kconfig.debug > +++ b/arch/x86/Kconfig.debug > @@ -7,6 +7,7 @@ source "lib/Kconfig.debug" > > config STRICT_DEVMEM > bool "Filter access to /dev/mem" > + default y > ---help--- > If this option is disabled, you allow userspace (root) access to all > of memory, including kernel and userspace memory. Accidental > @@ -20,7 +21,7 @@ config STRICT_DEVMEM > This is sufficient for dosemu and X and all common users of > /dev/mem. > > - If in doubt, say Y. > + If in doubt, say N. > > config X86_VERBOSE_BOOTUP > bool "Enable verbose x86 bootup info messages" > diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig > index d28fad1..95c85a8 100644 > --- a/arch/x86/configs/i386_defconfig > +++ b/arch/x86/configs/i386_defconfig > @@ -2386,7 +2386,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y > # CONFIG_SAMPLES is not set > CONFIG_HAVE_ARCH_KGDB=y > # CONFIG_KGDB is not set > -# CONFIG_STRICT_DEVMEM is not set > +CONFIG_STRICT_DEVMEM=y > CONFIG_X86_VERBOSE_BOOTUP=y > CONFIG_EARLY_PRINTK=y > CONFIG_EARLY_PRINTK_DBGP=y > diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig > index 6c86acd..659bfe7 100644 > --- a/arch/x86/configs/x86_64_defconfig > +++ b/arch/x86/configs/x86_64_defconfig > @@ -2360,7 +2360,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y > # CONFIG_SAMPLES is not set > CONFIG_HAVE_ARCH_KGDB=y > # CONFIG_KGDB is not set > -# CONFIG_STRICT_DEVMEM is not set > +CONFIG_STRICT_DEVMEM=y > CONFIG_X86_VERBOSE_BOOTUP=y > CONFIG_EARLY_PRINTK=y > CONFIG_EARLY_PRINTK_DBGP=y > -- > 1.6.5.3 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo(a)vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: wzt wzt on 15 Apr 2010 02:20 On Thu, Apr 15, 2010 at 2:12 PM, Xiaotian Feng <xtfeng(a)gmail.com> wrote: > On Tue, Apr 13, 2010 at 10:52 AM, <wzt.wzt(a)gmail.com> wrote: >> Recently, most company start use >=2.6.31 kernels to replace redhat kernels. >> But the config "Filter access to /dev/mem" is "default n", that allows kernel >> rootkit using /dev/mem again. it could access all kernel memory default. Most >> administrator don't known the "Filter access to /dev/mem" is "defult N", when >> he compiles the kernel, it's easily to be attacked by rootkit. > > Have you ever successfully attack by this way? [root(a)localhost zealot]# ./zealot [+] Found HISTSIZE. [SAFE] [+] Check md5 values. [SAFE] [+] eth0 was not set promsic. [SAFE] [+] Not found raw socket. [SAFE] system_call addr changed to 0xc04028a0,sys_call_table addr changed to 0xc0675130,Found dr rootkit!,system call sys_execve addr changed to 0xc0401582,system call sys_olduname addr changed to 0xc0405989,system call sys_fork addr changed to 0xc0407bbb It's a host ids i wrote, it could search all kernel memory using /dev/mem. ok? some of the code here: static void *kmap(unsigned long off, unsigned long count) { int fd; void *p; fd = open(DEV_MEM, O_RDWR); if (fd < 3) { DbgPrint("open %s failed.\n", DEV_MEM); dup2(fd, 3); close(fd); fd = 3; } p = mmap(NULL, ALIGNUP(count + 4097), PROT_READ | PROT_WRITE, MAP_SHARED, fd, ALIGNDOWN(off) & 0x0fffffff); if (p == MAP_FAILED) { mem_support_flag = 1; fprintf(stdout, "[-] /dev/mem cannot be read or write.\n"); DbgPrint("mmap failture, errno %d\n", errno); close(fd); return NULL; } close(fd); return p; } >If CONFIG_STRICT_DEVMEM > is not set, the /dev/mem access is filtered in pat code. please point it, thanks. >> >> Signed-off-by: Zhitong Wang <zhitong.wangzt(a)alibaba-inc.com> >> >> --- >> arch/x86/Kconfig.debug | 3 ++- >> arch/x86/configs/i386_defconfig | 2 +- >> arch/x86/configs/x86_64_defconfig | 2 +- >> 3 files changed, 4 insertions(+), 3 deletions(-) >> >> diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug >> index bc01e3e..733aea6 100644 >> --- a/arch/x86/Kconfig.debug >> +++ b/arch/x86/Kconfig.debug >> @@ -7,6 +7,7 @@ source "lib/Kconfig.debug" >> >> config STRICT_DEVMEM >> bool "Filter access to /dev/mem" >> + default y >> ---help--- >> If this option is disabled, you allow userspace (root) access to all >> of memory, including kernel and userspace memory. Accidental >> @@ -20,7 +21,7 @@ config STRICT_DEVMEM >> This is sufficient for dosemu and X and all common users of >> /dev/mem. >> >> - If in doubt, say Y. >> + If in doubt, say N. >> >> config X86_VERBOSE_BOOTUP >> bool "Enable verbose x86 bootup info messages" >> diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig >> index d28fad1..95c85a8 100644 >> --- a/arch/x86/configs/i386_defconfig >> +++ b/arch/x86/configs/i386_defconfig >> @@ -2386,7 +2386,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y >> # CONFIG_SAMPLES is not set >> CONFIG_HAVE_ARCH_KGDB=y >> # CONFIG_KGDB is not set >> -# CONFIG_STRICT_DEVMEM is not set >> +CONFIG_STRICT_DEVMEM=y >> CONFIG_X86_VERBOSE_BOOTUP=y >> CONFIG_EARLY_PRINTK=y >> CONFIG_EARLY_PRINTK_DBGP=y >> diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig >> index 6c86acd..659bfe7 100644 >> --- a/arch/x86/configs/x86_64_defconfig >> +++ b/arch/x86/configs/x86_64_defconfig >> @@ -2360,7 +2360,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y >> # CONFIG_SAMPLES is not set >> CONFIG_HAVE_ARCH_KGDB=y >> # CONFIG_KGDB is not set >> -# CONFIG_STRICT_DEVMEM is not set >> +CONFIG_STRICT_DEVMEM=y >> CONFIG_X86_VERBOSE_BOOTUP=y >> CONFIG_EARLY_PRINTK=y >> CONFIG_EARLY_PRINTK_DBGP=y >> -- >> 1.6.5.3 >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in >> the body of a message to majordomo(a)vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> Please read the FAQ at http://www.tux.org/lkml/ >> > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Xiaotian Feng on 15 Apr 2010 02:30 On Thu, Apr 15, 2010 at 2:17 PM, wzt wzt <wzt.wzt(a)gmail.com> wrote: > On Thu, Apr 15, 2010 at 2:12 PM, Xiaotian Feng <xtfeng(a)gmail.com> wrote: >> On Tue, Apr 13, 2010 at 10:52 AM, <wzt.wzt(a)gmail.com> wrote: >>> Recently, most company start use >=2.6.31 kernels to replace redhat kernels. >>> But the config "Filter access to /dev/mem" is "default n", that allows kernel >>> rootkit using /dev/mem again. it could access all kernel memory default. Most >>> administrator don't known the "Filter access to /dev/mem" is "defult N", when >>> he compiles the kernel, it's easily to be attacked by rootkit. >> >> Have you ever successfully attack by this way? > > [root(a)localhost zealot]# ./zealot so you're running rootkit as a root user? > [+] Found HISTSIZE. [SAFE] > [+] Check md5 values. [SAFE] > [+] eth0 was not set promsic. [SAFE] > [+] Not found raw socket. [SAFE] > system_call addr changed to 0xc04028a0,sys_call_table addr changed to > 0xc0675130,Found dr rootkit!,system call sys_execve addr changed to > 0xc0401582,system call sys_olduname addr changed to 0xc0405989,system > call sys_fork addr changed to 0xc0407bbb > > It's a host ids i wrote, it could search all kernel memory using /dev/mem. ok? > > some of the code here: > static void *kmap(unsigned long off, unsigned long count) > { > int fd; > void *p; > > fd = open(DEV_MEM, O_RDWR); > if (fd < 3) { > DbgPrint("open %s failed.\n", DEV_MEM); > dup2(fd, 3); > close(fd); > fd = 3; > } > > p = mmap(NULL, ALIGNUP(count + 4097), PROT_READ | PROT_WRITE, > MAP_SHARED, fd, ALIGNDOWN(off) & 0x0fffffff); > if (p == MAP_FAILED) > { > mem_support_flag = 1; > fprintf(stdout, "[-] /dev/mem cannot be read or write.\n"); > > DbgPrint("mmap failture, errno %d\n", errno); > close(fd); > return NULL; > } > > close(fd); > return p; > } > >>If CONFIG_STRICT_DEVMEM >> is not set, the /dev/mem access is filtered in pat code. > please point it, thanks. > Years ago, someone sent the same patch. check http://lkml.org/lkml/2008/11/7/361 >>> >>> Signed-off-by: Zhitong Wang <zhitong.wangzt(a)alibaba-inc.com> >>> >>> --- >>> arch/x86/Kconfig.debug | 3 ++- >>> arch/x86/configs/i386_defconfig | 2 +- >>> arch/x86/configs/x86_64_defconfig | 2 +- >>> 3 files changed, 4 insertions(+), 3 deletions(-) >>> >>> diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug >>> index bc01e3e..733aea6 100644 >>> --- a/arch/x86/Kconfig.debug >>> +++ b/arch/x86/Kconfig.debug >>> @@ -7,6 +7,7 @@ source "lib/Kconfig.debug" >>> >>> config STRICT_DEVMEM >>> bool "Filter access to /dev/mem" >>> + default y >>> ---help--- >>> If this option is disabled, you allow userspace (root) access to all >>> of memory, including kernel and userspace memory. Accidental >>> @@ -20,7 +21,7 @@ config STRICT_DEVMEM >>> This is sufficient for dosemu and X and all common users of >>> /dev/mem. >>> >>> - If in doubt, say Y. >>> + If in doubt, say N. >>> >>> config X86_VERBOSE_BOOTUP >>> bool "Enable verbose x86 bootup info messages" >>> diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig >>> index d28fad1..95c85a8 100644 >>> --- a/arch/x86/configs/i386_defconfig >>> +++ b/arch/x86/configs/i386_defconfig >>> @@ -2386,7 +2386,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y >>> # CONFIG_SAMPLES is not set >>> CONFIG_HAVE_ARCH_KGDB=y >>> # CONFIG_KGDB is not set >>> -# CONFIG_STRICT_DEVMEM is not set >>> +CONFIG_STRICT_DEVMEM=y >>> CONFIG_X86_VERBOSE_BOOTUP=y >>> CONFIG_EARLY_PRINTK=y >>> CONFIG_EARLY_PRINTK_DBGP=y >>> diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig >>> index 6c86acd..659bfe7 100644 >>> --- a/arch/x86/configs/x86_64_defconfig >>> +++ b/arch/x86/configs/x86_64_defconfig >>> @@ -2360,7 +2360,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y >>> # CONFIG_SAMPLES is not set >>> CONFIG_HAVE_ARCH_KGDB=y >>> # CONFIG_KGDB is not set >>> -# CONFIG_STRICT_DEVMEM is not set >>> +CONFIG_STRICT_DEVMEM=y >>> CONFIG_X86_VERBOSE_BOOTUP=y >>> CONFIG_EARLY_PRINTK=y >>> CONFIG_EARLY_PRINTK_DBGP=y >>> -- >>> 1.6.5.3 >>> >>> -- >>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in >>> the body of a message to majordomo(a)vger.kernel.org >>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> Please read the FAQ at http://www.tux.org/lkml/ >>> >> > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: wzt wzt on 15 Apr 2010 02:50 > so you're running rootkit as a root user? > rootkit always run as a root user. >Years ago, someone sent the same patch. >check http://lkml.org/lkml/2008/11/7/361 thanks, i read it. But nowadays >= 2.6.26 kernel became more popular, more people start use it. When they compile the kernel, they don't change KERNEL_HACKING option, becasue they are not kernel prgramer. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Xiaotian Feng on 15 Apr 2010 03:20 On Thu, Apr 15, 2010 at 2:17 PM, wzt wzt <wzt.wzt(a)gmail.com> wrote: > On Thu, Apr 15, 2010 at 2:12 PM, Xiaotian Feng <xtfeng(a)gmail.com> wrote: >> On Tue, Apr 13, 2010 at 10:52 AM, <wzt.wzt(a)gmail.com> wrote: >>> Recently, most company start use >=2.6.31 kernels to replace redhat kernels. >>> But the config "Filter access to /dev/mem" is "default n", that allows kernel >>> rootkit using /dev/mem again. it could access all kernel memory default. Most >>> administrator don't known the "Filter access to /dev/mem" is "defult N", when >>> he compiles the kernel, it's easily to be attacked by rootkit. >> >> Have you ever successfully attack by this way? I'm curious about the result if you open this option to yes. > > [root(a)localhost zealot]# ./zealot > [+] Found HISTSIZE. [SAFE] > [+] Check md5 values. [SAFE] > [+] eth0 was not set promsic. [SAFE] > [+] Not found raw socket. [SAFE] > system_call addr changed to 0xc04028a0,sys_call_table addr changed to > 0xc0675130,Found dr rootkit!,system call sys_execve addr changed to > 0xc0401582,system call sys_olduname addr changed to 0xc0405989,system > call sys_fork addr changed to 0xc0407bbb > > It's a host ids i wrote, it could search all kernel memory using /dev/mem. ok? > > some of the code here: > static void *kmap(unsigned long off, unsigned long count) > { > int fd; > void *p; > > fd = open(DEV_MEM, O_RDWR); > if (fd < 3) { > DbgPrint("open %s failed.\n", DEV_MEM); > dup2(fd, 3); > close(fd); > fd = 3; > } > > p = mmap(NULL, ALIGNUP(count + 4097), PROT_READ | PROT_WRITE, > MAP_SHARED, fd, ALIGNDOWN(off) & 0x0fffffff); mmap_mem in drivers/char/mem.c if (!range_is_allowed(vma->vm_pgoff, size)) return -EPERM; if (!phys_mem_access_prot_allowed(file, vma->vm_pgoff, size, &vma->vm_page_prot)) return -EINVAL; If kernel is not set CONFIG_STRICT_DEVMEM, range_is_allowed will return 1 always, and phys_mem_access_prot_allowed is defined as weak. In arch/x86/mm/pat.c, phys_mem_access_prot_allowed is defined, and range_is_allowed is declared to check the mem access w/o CONFIG_STRICT_DEVMEM, so it looks like the same as kernel w/ CONFIG_STRICT_DEVMEM. What's the result for kernel w/ CONFIG_STRICT_DEVMEM ? does it prevent your rootkit? > if (p == MAP_FAILED) > { > mem_support_flag = 1; > fprintf(stdout, "[-] /dev/mem cannot be read or write.\n"); > > DbgPrint("mmap failture, errno %d\n", errno); > close(fd); > return NULL; > } > > close(fd); > return p; > } > >>If CONFIG_STRICT_DEVMEM >> is not set, the /dev/mem access is filtered in pat code. > please point it, thanks. > >>> >>> Signed-off-by: Zhitong Wang <zhitong.wangzt(a)alibaba-inc.com> >>> >>> --- >>> arch/x86/Kconfig.debug | 3 ++- >>> arch/x86/configs/i386_defconfig | 2 +- >>> arch/x86/configs/x86_64_defconfig | 2 +- >>> 3 files changed, 4 insertions(+), 3 deletions(-) >>> >>> diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug >>> index bc01e3e..733aea6 100644 >>> --- a/arch/x86/Kconfig.debug >>> +++ b/arch/x86/Kconfig.debug >>> @@ -7,6 +7,7 @@ source "lib/Kconfig.debug" >>> >>> config STRICT_DEVMEM >>> bool "Filter access to /dev/mem" >>> + default y >>> ---help--- >>> If this option is disabled, you allow userspace (root) access to all >>> of memory, including kernel and userspace memory. Accidental >>> @@ -20,7 +21,7 @@ config STRICT_DEVMEM >>> This is sufficient for dosemu and X and all common users of >>> /dev/mem. >>> >>> - If in doubt, say Y. >>> + If in doubt, say N. >>> >>> config X86_VERBOSE_BOOTUP >>> bool "Enable verbose x86 bootup info messages" >>> diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig >>> index d28fad1..95c85a8 100644 >>> --- a/arch/x86/configs/i386_defconfig >>> +++ b/arch/x86/configs/i386_defconfig >>> @@ -2386,7 +2386,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y >>> # CONFIG_SAMPLES is not set >>> CONFIG_HAVE_ARCH_KGDB=y >>> # CONFIG_KGDB is not set >>> -# CONFIG_STRICT_DEVMEM is not set >>> +CONFIG_STRICT_DEVMEM=y >>> CONFIG_X86_VERBOSE_BOOTUP=y >>> CONFIG_EARLY_PRINTK=y >>> CONFIG_EARLY_PRINTK_DBGP=y >>> diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig >>> index 6c86acd..659bfe7 100644 >>> --- a/arch/x86/configs/x86_64_defconfig >>> +++ b/arch/x86/configs/x86_64_defconfig >>> @@ -2360,7 +2360,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y >>> # CONFIG_SAMPLES is not set >>> CONFIG_HAVE_ARCH_KGDB=y >>> # CONFIG_KGDB is not set >>> -# CONFIG_STRICT_DEVMEM is not set >>> +CONFIG_STRICT_DEVMEM=y >>> CONFIG_X86_VERBOSE_BOOTUP=y >>> CONFIG_EARLY_PRINTK=y >>> CONFIG_EARLY_PRINTK_DBGP=y >>> -- >>> 1.6.5.3 >>> >>> -- >>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in >>> the body of a message to majordomo(a)vger.kernel.org >>> More majordomo info at http://vger.kernel.org/majordomo-info.html >>> Please read the FAQ at http://www.tux.org/lkml/ >>> >> > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
|
Next
|
Last
Pages: 1 2 Prev: [PATCH 3/3 ] SCSI: Support Type C RAID controller Next: LogFS: Fix oops on failed mount |