Difference between revisions of "HIDS 61026"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "{{Infobox |header1= Rule 61026 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = An application has attempted to set the stack executable, this is either an ...")
 
m (Description)
 
Line 11: Line 11:
 
This means that you have an application installed with a serious vulnerability. The Secure ASL kernel is preventing this application from opening a hole in your system.
 
This means that you have an application installed with a serious vulnerability. The Secure ASL kernel is preventing this application from opening a hole in your system.
  
Some application developers may configured their applications insecure to use what is referred to as an "executable stack". An executable stack allows an attacker to inject raw code into your system, bypassing your operating systems entire security model. This is a well known and widely used method of compromising systems completely.
+
Some application developers configure their applications insecurely to use what is referred to as an "executable stack". An executable stack allows an attacker to inject raw code into your system, bypassing your operating systems entire security model. This is a well known and widely used method of compromising systems completely.
  
Configuring an application in this manner dangerously opens your system to full compromise. Very few, if any applications actually require this insecure state to operate, and often times configuring applications in this manner is done by the application developer in error. You can reconfigure these applications to not do this by following the process below.
+
Configuring an application in this manner dangerously opens your system to full compromise. Very few, if any applications actually require this insecure state to operate, and even less do this in a manner that won't lead to a serious hole in your system.  Many applications that do this don't need to, and cant do it securely.  In most cases, configuring applications in this manner is done by the application developer in error. You can reconfigure these applications to not do this by following in the Solutions section below.
  
The ASL kernel protects you from this dangerous mistake by not allowing these applications to configure your system into this extremely insecure condition.  
+
The ASL kernel protects you from this dangerous mistake by not allowing these applications to configure your system into this extremely insecure condition. You should investigate this event as it may be part of a broader attack.   
 
+
You should investigate this event as it may be part of a broader attack.   
+
  
 
== Log examples ==  
 
== Log examples ==  
Line 23: Line 21:
 
''May 5 09:24:02 server3 host: grsec: From 1.2.3.4: denied marking stack executable as requested by PT_GNU_STACK marking in /usr/local/cpanel/3rdparty/php/54/zendopt/ZendGuardLoader.so by /usr/local/cpanel/whostmgr/docroot/cgi/addon_installatron.cgi[addon_installat:3705] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:3642] uid/euid:0/0 gid/egid:0/0''
 
''May 5 09:24:02 server3 host: grsec: From 1.2.3.4: denied marking stack executable as requested by PT_GNU_STACK marking in /usr/local/cpanel/3rdparty/php/54/zendopt/ZendGuardLoader.so by /usr/local/cpanel/whostmgr/docroot/cgi/addon_installatron.cgi[addon_installat:3705] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:3642] uid/euid:0/0 gid/egid:0/0''
  
''error while loading shared libraries: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied''  
+
''error while loading shared libraries: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied''
  
 
= Troubleshooting =
 
= Troubleshooting =

Latest revision as of 14:23, 5 May 2014

Rule 61026
Status Active
Alert Message An application has attempted to set the stack executable, this is either an attack or a very vulnerable application.

Contents

[edit] Description

This means that you have an application installed with a serious vulnerability. The Secure ASL kernel is preventing this application from opening a hole in your system.

Some application developers configure their applications insecurely to use what is referred to as an "executable stack". An executable stack allows an attacker to inject raw code into your system, bypassing your operating systems entire security model. This is a well known and widely used method of compromising systems completely.

Configuring an application in this manner dangerously opens your system to full compromise. Very few, if any applications actually require this insecure state to operate, and even less do this in a manner that won't lead to a serious hole in your system. Many applications that do this don't need to, and cant do it securely. In most cases, configuring applications in this manner is done by the application developer in error. You can reconfigure these applications to not do this by following in the Solutions section below.

The ASL kernel protects you from this dangerous mistake by not allowing these applications to configure your system into this extremely insecure condition. You should investigate this event as it may be part of a broader attack.

[edit] Log examples

May 5 09:24:02 server3 host: grsec: From 1.2.3.4: denied marking stack executable as requested by PT_GNU_STACK marking in /usr/local/cpanel/3rdparty/php/54/zendopt/ZendGuardLoader.so by /usr/local/cpanel/whostmgr/docroot/cgi/addon_installatron.cgi[addon_installat:3705] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:3642] uid/euid:0/0 gid/egid:0/0

error while loading shared libraries: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied

[edit] Troubleshooting

[edit] Solutions

Please see this article for solutions if your application has this vulnerability:

https://www.atomicorp.com/wiki/index.php/ASL_error_messages#cannot_enable_executable_stack_as_shared_object_requires

[edit] False Positives

Please report this to support if you know this is not an attack.

[edit] Additional Information

[edit] Similar Rules

HIDS_60027

[edit] Knowledge Base Articles

None.

Personal tools