On Wed, 20 Oct 2004 00:04:36 -0500, security@kemhosting.com
<security@kemhosting.com> wrote:
Today, hackers used the ShellBOT perl script to bring down Apache and start up
their IRC listener. They (somehow) copied it into /tmp and executed it. This
confuses me because I have my /tmp directory mounted rw,noexec,nosuid. Does
Perl somehow bypass this?
If the command they are running is something similar to:
# perl /tmp/script.pl
Then script.pl isn't being directly executed, perl is. In this
example, script.pl itself doesn't even need to executable. The same
thing can be done with shell scripts.
# sh /tmp/script.sh
The noexec flag can be bypassed by binaries that are dynamically
linked by using /lib/ld-linux.so. You execute the linker and give the
command you want to run as the option.
# cp /usr/bin/ls /tmp
# /tmp/ls
/tmp/ls: Permission denied
# /lib/ld-linux.so.2 /tmp/ls
The only way that I'm aware of to stop the above from happening is by
using libsafe. You will then end up with the following error:
# /lib/ld-linux.so.2 /tmp/ls
/tmp/ls: error while loading shared libraries: /tmp/ls: failed to map
segment from shared object: Operation not permitted
One interesting observation is that the output of ldd changes when run
on commands located on noexec partitions and libsafe is being used.
# ldd /tmp/ls
not a dynamic executable
# ldd /usr/bin/ls
/lib/libsafe.so.2 => /lib/libsafe.so.2 (0x40017000)
librt.so.1 => /lib/librt.so.1 (0x4002e000)
libc.so.6 => /lib/libc.so.6 (0x40040000)
. . .
. . .
One warning, libsafe is not always the answer to securing a system
since it has a habit of interfering with programs and servers. As
with every security measure, test, test, test.....
