Difference between revisions of "HIDS 60227"
(Created page with "Example log message: system kernel: grsec: denied RWX mprotect of <anonymous mapping> by /lib64/ld-2.5.so[ld-linux-x86-64:27597] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/prel...") |
m |
||
(One intermediate revision by one user not shown) | |||
Line 5: | Line 5: | ||
Explanation: | Explanation: | ||
− | The kernel contains numerous protections | + | The kernel contains numerous protections to prevent applications from being compromised, including protections for the kernel itself to prevent root level compromises. One of these is to [[http://pax.grsecurity.net/docs/mprotect.txt restrict the use of the mprotect function]], which can be used introduce new executable code into the task's address space. This method can be used to compromise an application, which could lead to a partial or full compromise of the system depending on the application or applications involved. This protection closes a commonly used hole attackers use to compromise systems. |
− | If you see this alert, that means that an application is attempting to this. This can be caused by an insecure application attempting to use this insecure function legitimately, in which case we recommend you contact the developer and ask them to use a more secure method, or this may be an attempt to compromise your system. | + | If you see this alert, that means that an application is attempting to use this function. This can be caused by an insecure application attempting to use this insecure function legitimately, in which case we recommend you contact the developer and ask them to use a more secure method, this could be used by an application in a manner that its likely to be unexploitable (although this is very difficult to know without signifcant knowledge about the application and its uses) or this may be an attempt to compromise your system. |
− | If you wish to | + | If you wish to allow a specific application to use this unsafe function, then please see the [[http://wiki.atomicorp.com/wiki/index.php/ASL_error_messages#mprotect.28.29:_13_.28Permission_denied.29 mprotect FAQ article]]. We do not recommend you enable an application to do this without careful analysis of all possible vectors that could be used to compromise the system. It will open your system up to potential compromise that the kernel will not be able to protect you against, and may not be detectable by any rootkit detector. |
Latest revision as of 15:07, 20 February 2017
Example log message:
system kernel: grsec: denied RWX mprotect of <anonymous mapping> by /lib64/ld-2.5.so[ld-linux-x86-64:27597] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/prelink[prelink:25897] uid/euid:0/0 gid/egid:0/0
Explanation:
The kernel contains numerous protections to prevent applications from being compromised, including protections for the kernel itself to prevent root level compromises. One of these is to [restrict the use of the mprotect function], which can be used introduce new executable code into the task's address space. This method can be used to compromise an application, which could lead to a partial or full compromise of the system depending on the application or applications involved. This protection closes a commonly used hole attackers use to compromise systems.
If you see this alert, that means that an application is attempting to use this function. This can be caused by an insecure application attempting to use this insecure function legitimately, in which case we recommend you contact the developer and ask them to use a more secure method, this could be used by an application in a manner that its likely to be unexploitable (although this is very difficult to know without signifcant knowledge about the application and its uses) or this may be an attempt to compromise your system.
If you wish to allow a specific application to use this unsafe function, then please see the [mprotect FAQ article]. We do not recommend you enable an application to do this without careful analysis of all possible vectors that could be used to compromise the system. It will open your system up to potential compromise that the kernel will not be able to protect you against, and may not be detectable by any rootkit detector.