undefined | Better HN

0 pointsjeffbee1mo ago0 comments

Based on what? Proc title?

0 comments

8 comments · 3 top-level

CGamesPlay1mo ago· 3 in thread

Proc title is very easily forged (without root even). Obviously a real privileged process could modify the kernel and do whatever it wants, but if I were trying to detect this I would start with /proc/$id/exe.

Retr0id1mo ago

/proc/pid/exe is also easily forged, without root. For example you can do LD_PRELOAD=evil.so /bin/foo on any dynamic executable, or spawn /bin/foo unmodified and inject code via ptrace or /proc/pid/mem.

I have a fileless, execless copyfail exploit that works by injecting shellcode directly into systemd's pid 1. (I should probably publish it at some point...)

jeffbeeOP1mo ago

Yeah the whole system is based on the ability of one task to apparently become another task, that's how Unix works. So the indicators in /proc are just that: indicative at best.

There's no reason the task should even be assumed to be executing code in a file. A process can map code into anonymous memory and continue executing there without even branching. Again this is considered a feature of the system rather than a flaw.

jeffbeeOP1mo ago

Maybe, but there's a prctl to change that reference which a root process can use.

parliament321mo ago· 2 in thread

It's curious they're just "monitoring" rather than preventing.

In a serious environment you'd run IPE with dm-verity/fs-verity to ensure binaries are whitelisted and integrity-checked at every execution.

staticassertion1mo ago

lol no one does that (edit: or, rather, that is extremely uncommon, even in "serious" environments, for a ton of reasons).

parliament321mo ago

Look at the FedRAMP requirements around integrity protection, then look at how massive the list of complaint products is. I promise, pretty much everyone in regulated environments is. It's so prevelant Azure is even pushing a turnkey solution for k8s https://learn.microsoft.com/en-us/azure/aks/use-azure-linux-...

2 more replies

dboreham1mo ago

They might just compute a hash over the binary, or the code space in memory.

j / k navigate · click thread line to collapse

0 comments

8 comments · 3 top-level

CGamesPlay1mo ago· 3 in thread

Retr0id1mo ago

I have a fileless, execless copyfail exploit that works by injecting shellcode directly into systemd's pid 1. (I should probably publish it at some point...)

jeffbeeOP1mo ago

Yeah the whole system is based on the ability of one task to apparently become another task, that's how Unix works. So the indicators in /proc are just that: indicative at best.

jeffbeeOP1mo ago

Maybe, but there's a prctl to change that reference which a root process can use.

parliament321mo ago· 2 in thread

It's curious they're just "monitoring" rather than preventing.

In a serious environment you'd run IPE with dm-verity/fs-verity to ensure binaries are whitelisted and integrity-checked at every execution.

staticassertion1mo ago

lol no one does that (edit: or, rather, that is extremely uncommon, even in "serious" environments, for a ton of reasons).

parliament321mo ago

2 more replies

dboreham1mo ago

They might just compute a hash over the binary, or the code space in memory.

j / k navigate · click thread line to collapse