HIDS 61027

From Atomicorp Wiki
Jump to: navigation, search
Rule 61027
Status Active
Alert Message Denied a RWX mprotect event. An application just attmpted to use the mprotect function to bypass memory protection functions in the kernel.


[edit] Description

This means an application is trying to do something dangerous on your system and ASL is protecting you from this action. Please read this article for additional important information about this event.

Specifically, the ASL kernel protects your system by restricting the mprotect() system call which makes it difficult for an attacker to bypass stack protection systems. This makes it impossible for an attacker to change protection of a specific memory region, for example to mark it as executable if it wasn't originally executable, or to create a new writeable and executable memory mapping using the mmap() call. Without this feature, all the "Stack Protection and "non-executable memory regions" security features used today are more or less useless, as an attacker can just change the permissions on your Stack protection to allow them to compromise the system. In other words, on a non-ASL system the attacker can just disable your stack protection.

Unlike other systems, ASL protects you from this vulnerability.

This protection in the ASL kernel is critical to making stack protection meaningful. Therefore, if you encounter this message, the application has been stopped from doing something very dangerous to your system. The application may not be trying to compromise your system, but it is making it much easier for an attacker to compromise your system in the future if the application were allowed to do this. Therefore, you should carefully consider if you want to allow an application to do this. If you allow an application to do this you are opening your system to stack and heap based attacks through that application.

It is important then to ensure that your your application absolutely needs this capability, and that if it does and you want to allow it that you can trust the application, that its not vulnerable to stack and heap based attacks, and that you are certain that the application is not going to be used by an attacker to compromise your system.

Applications that work with untrusted data, such as scanners, daemons and servers shouldn't be allowed to do this unless you know that they have no other vulnerabilities associated with this issue.

You should always investigate this event as it may be part of an actual attack on your system.

Note: Disabling this rule will not disable this protection, it will however tell ASL to not inform you of these events.

[edit] Log examples

May 5 09:24:02 host kernel: grsec: From denied RWX mprotect of /lib64/ld-2.12.so by /usr/local/cpanel/whostmgr/docroot/cgi/addon_installatron.cgi[addon_installat:3705] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:3642] uid/euid:0/0 gid/egid:0/0

May 1 01:01:01 host kernel: grsec: From denied RWX mprotect of /lib64/ld-2.5.so by /usr/local/cpanel/3rdparty/php/53/bin/php-cgi[php-cgi:25915] uid/euid:32003/32003 gid/egid:32003/32003, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:25913] uid/euid:32003/32003 gid/egid:32003/32003

[edit] Log examples of Trojans

kernel: grsec: denied RWX mprotect of /usr/sbin/sshd by /usr/sbin/sshd[sshd:19653] uid/euid:0/0 gid/egid:0/0, parent /etc/rc.d/init.d/sshd[sshd:19639] uid/euid:0/0 gid/egid:0/0

In the example above, this was generated from a trojaned version of sshd. Always confirm that your applications needs to open this hole in your system. More often than not, the application either does not need to do this, or its malicious.

[edit] Troubleshooting

[edit] Solutions

Please see this article for solutions if your application has this vulnerability:


[edit] False Positives

False positive are extremely rare for this rule.

If you are certain this is not an attack, or your application has not been replaced by a malicious backdoored version, please report this to support if you know this is not an attack and include the log messages along with the alert ID. Reporting just the rule ID will not provide the information we will need to help you.

[edit] Additional Information

[edit] Similar Rules


[edit] Knowledge Base Articles


Personal tools