Mambo Exploit Blocked by SELinux

From Issue #159
July 2007

Jul 01, 2007 By Richard Bulling...

Security

A real-world case where SELinux proved its worth.

Richard Bullington-McGuire is the Managing Partner of PKR Internet, LLC, a software and systems consulting firm in Arlington, Virginia, specializing in Linux, open source and Java. He also founded The Obscure Organization, a nonprofit organization that promotes creativity and community through technology. He has been a Linux sysadmin since 1994. You can reach him at rbulling@pkrinternet.com.

______________________

Comments

Titanic movie rendered with Linux

Submitted by bosch servisi (not verified) on Sat, 09/18/2010 - 10:19.

bosch servisi, bosch servis

..

Submitted by turkce (not verified) on Sat, 12/27/2008 - 12:18.

Thanks..

radyo

Submitted by radyo (not verified) on Wed, 10/29/2008 - 14:34.

thank you very good

An alternate defense against this attack

Submitted by Richard Bulling... on Mon, 06/25/2007 - 10:41.

Kyle Wilson recently wrote me regarding this article, and gave me permission to share his remarks with Linux Journal readers:
________________________________________________________

Richard,

Hi. I just finished reading your article about SELinux in this month's Linux Journal. I enjoyed it very much. I thought I'd share a tip with you which I use to protect my internet facing servers. I always edit my fstab file to include the nosuid and noexec mount options for my tmp file system. In the case of the Mambo exploit which you wrote about, having the noexec mount option on /tmp would have also prevented the exploit by preventing the execution of the cback binary which was placed in your /tmp file system. Here's the description of the options from the mount man page:

noexec - Do not allow execution of any binaries on the mounted file system. This option might be useful for a server that has file systems containing binaries for architectures other than its own.

nosuid - Do not allow set-user-identifier or set-group-identifier bits to take effect. (This seems safe, but is in fact rather unsafe if you have suidperl(1) installed.)

Kyle
________________________________________________________

Kyle has some good points about protecting filesystems using mount options. That is a solid and time-honored way of helping to secure a system, to be sure. I've seen some systems that have many filesystem mount points that are locked down with noexec and nosuid options.

Many systems today (including the one I wrote about) only have two file systems by default, that is a boot and / filesystems. This system was one of those. Locking down /tmp like that would also have protected from this specific attack, had SELinux not been activated:

# for /etc/fstab: none /tmp tmpfs nosuid,noexec,rw,size=512m 0 0

However, other points of vulnerability also exist, such as /dev/shm, /var/tmp, and really, any writable file on your system. To be thorough about using nosuid and noexec options, you would need to ensure that these directories are also protected with these options. That is easy enough for /dev/shm, but not so easy for /var/tmp unless you dedicate a disk partition to it, or do funny tricks such as mounting a file on /var with the loop device and mounting that on /var/tmp. Even doing that is not proof against a determined attacker, as this shell code snippet illustrates:

# Try this out on your system to see how wide-open you could still be echo "World-writable directories:" find / -type d -perm +0002 echo "World-witable files:" find / -type f -perm +0002

One of the nice things about the Red Hat / Fedora SELinux targeted policies is that it stops attacks on pretty much all of these locations with a default-deny rule.

Correction: sentence below Listing 4

Submitted by Richard Bulling... on Mon, 06/25/2007 - 10:26.

The sentence below Listing 4 should read:

Lines showing further attacks similar to the trace on targetbox versus Mambo, xmlrpc.php, drupal and phpgroupware also appeared in this grep.

Webcast

More Resources

How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.

Learn More


Designing Electronics with Linux	May 22, 2013
Dynamic DNS—an Object Lesson in Problem Solving	May 21, 2013
Using Salt Stack and Vagrant for Drupal Development	May 20, 2013
Making Linux and Android Get Along (It's Not as Hard as It Sounds)	May 16, 2013
Drupal Is a Framework: Why Everyone Needs to Understand This	May 15, 2013
Home, My Backup Data Center	May 13, 2013

Free Webinar: Hadoop

How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers

Some of key questions to be discussed are:

What is the “typical” Hadoop cluster and what should be installed on the different machine types?
Why should you consider the typical workload patterns when making your hardware decisions?
Are all microservers created equal for Hadoop deployments?
How do I plan for expansion if I require more compute, memory, storage or networking?

Register now for this free webinar.

First Name	Last Name

Address 1	Address 2

City	State	Zip

Email

Mambo Exploit Blocked by SELinux

Comments

Comment viewing options

Titanic movie rendered with Linux

..

radyo

An alternate defense against this attack

Correction: sentence below Listing 4

Trending Topics

Free Webinar: Hadoop

Digital Edition

Magazine Formats

The Store

About Us

The Site