ProHoster > Blog > internet news > Kiddy - Linux kernel module for protection against script kiddy

Kiddy - Linux kernel module for protection against script kiddy

Kiddy – a module for the Linux kernel, designed to reduce the risks of exploiting (some) kernel vulnerabilities.

The protection mechanism implemented in this module is based on a simple idea, which is that during the attack, the target of the attack is somehow identified. Therefore, if such identification is made difficult, the complexity of operation can be multiplied, because in many cases, ready-made exploits contain tables of various kinds of offsets corresponding to the target kernel versions.

For example, here's how it's done for CVE-2017-1000112. You can also see there that the kernel version is identified using uname.

The developed module is easy to implement and allows you to:

  • change kernel identification;
  • restrict access to the kernel log (dmesg);
  • restrict access to certain files in /proc that also contain identifying information;
  • restrict access to files and folders that potentially contain identifying information;
  • change the kernel version identification available through vDSO.

During the assembly process, the module allows you to use the so-called. “presets” that implement different logic for changing identification. For example, using the "windows" preset you can get the following behavior:

Before loading the module

$ ./misc/id.sh ** UNAME identidty leaks — uname -r 2.6.32-754.35.1.el6.x86_64 — uname -v #1 SMP Sat Nov 7 12:42:14 UTC 2020 — uname -a Linux localhost.localdomain 2.6.32-754.35.1.el6.x86_64 #1 SMP Sat Nov 7 12:42:14 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux ** PROCFS identidty leaks - /proc/cmdline ro root=/dev/mapper/VolGroup00-LogVol00 rd_NO_LUKS no_timer_check console=tty0 console=ttyS0,115200n8 net.ifnames=0 biosdevname=0 LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 rd_LVM_LV=VolGroup00/LogVol01 rd_LVM_LV=VolGroup00/LogVol00 KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet — /proc/version Linux version 2.6.32-754.35.1.el6.x86_64 (mockbuild@x86-02.bsys.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC) ) #1 SMP Sat Nov 7 12:42:14 UTC 2020 - /proc/sys/kernel/version #1 SMP Sat Nov 7 12:42:14 UTC 2020 - /proc/sys/kernel/osrelease 2.6.32-754.35.1.el6.x86_64 which: no hostnamectl in (/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/vagrant/bin)

After loading the module

$ ./misc/id.sh ** UNAME identidty leaks — uname -r Windows — uname -v NT 4.0 — uname -a Linux localhost.localdomain Windows NT 4.0 x86_64 x86_64 x86_64 GNU/Linux ** PROCFS identidty leaks — /proc/ cmdline EFIMicrosoftBootbootmgfw.efi - /proc/version Windows NT 4.0 - /proc/sys/kernel/version NT 4.0 - /proc/sys/kernel/osrelease Windows which: no hostnamectl in (/usr/local/bin:/bin:/ usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/vagrant/bin)

Script kiddies will not pass!

Source: linux.org.ru

Add a comment