Cov neeg tsim tawm ntawm qhov project Grsecurity
HKSP thaj ua rau thaj tau luam tawm los ntawm Huawei tus neeg ua haujlwm, suav nrog kev hais txog Huawei hauv GitHub profile, thiab siv lo lus Huawei hauv lub npe project (HKSP - Huawei Kernel Self Protection). Tib lub sijhawm, Huawei cov neeg sawv cev tsis lees paub qhov kev sib txuas ntawm HKSP qhov project nrog lub tuam txhab thiab tau hais tias cov cai tau tsim los ntawm tus neeg ua haujlwm tus kheej txoj haujlwm, tsis yog ib txoj haujlwm Huawei thiab tsis siv hauv tuam txhab cov khoom. Ntawm
HKSP suav nrog cov kev hloov pauv xws li randomization ntawm offsets hauv cov qauv cred, tiv thaiv kev tawm tsam ntawm tus neeg siv tus cim npe npe (pid namespace), kev sib cais ntawm cov txheej txheem pawg los ntawm thaj chaw mmap, nrhiav pom ob lub xov tooj mus rau kfree muaj nuj nqi, thaiv kev xau los ntawm pseudo -FS /proc (/proc/ {modules, keys, key-users}, /proc/sys/kernel/* and /proc/sys/vm/mmap_min_addr, /proc/kallsyms), txhim kho neeg siv chaw nyob randomization, ntxiv Ptrace kev tiv thaiv, txhim kho smap thiab smep kev tiv thaiv, muaj peev xwm txwv tsis pub xa cov ntaub ntawv los ntawm cov khoom siv raw, thaiv cov chaw nyob tsis raug hauv UDP qhov (sockets) thiab tshawb xyuas qhov kev ncaj ncees ntawm cov txheej txheem khiav. Nws kuj suav nrog Ksguard kernel module, uas yog tsom rau kev kuaj xyuas kev sim ua kom paub cov rootkits ib txwm.
Thaj
Kev kawm txog thaj tsam los ntawm Grsecurity developers tau qhia ntau qhov yuam kev thiab qhov tsis muaj zog hauv txoj cai, thiab kuj tau qhia qhov tsis muaj tus qauv kev hem thawj uas yuav tso cai rau lawv txiav txim siab txog qhov peev txheej ntawm qhov project. Txhawm rau ua kom pom tseeb tias cov cai tau sau tsis siv cov txheej txheem kev ruaj ntseg, muab piv txwv ntawm qhov tsis txaus ntseeg tsis txaus ntseeg hauv tus tuav.
file /proc/ksguard/state, uas yog tsim nrog txoj cai 0777, txhais tau hais tias txhua tus tau sau ntawv nkag. ksg_state_write muaj nuj nqi, siv los txheeb xyuas cov lus txib sau rau /proc/ksguard/state, tsim ib qho tmp[32] tsis rau cov ntaub ntawv twg yog sau raws li qhov loj ntawm qhov operand dhau, yam tsis xav txog qhov loj ntawm lub hom phiaj tsis thiab tsis muaj. tshawb xyuas qhov parameter nrog txoj hlua loj. Cov. Txhawm rau overwrite ib feem ntawm pawg pawg, tus neeg tawm tsam tsuas yog xav tau sau cov kab tshwj xeeb uas tau teev tseg rau /proc/ksguard/state.
static ssize_t ksg_state_write(struct file *file, const char __user *buf,
size_t len, loff_t *offset)
{
u64 nqi;.
char tmp[32];
size_t n = 0;
yog tias (copy_from_user(tmp, buf, len))
rov qab - 1;
value = simple_strtoul(tmp, '\0', 10);
...
Exploit prototype:
char buf[4096] = { };
int fd = open(β/proc/ksguard/stateβ, O_WRONLY);
yog (fd >= 0) {
sau(fd, buf, sizeof(buf));
kaw (fd);
}
Tau qhov twg los: opennet.ru