HIDS 61026
Rule 61026 | |
---|---|
Status | Active |
Alert Message | An application has attempted to set the stack executable, this is either an attack or a very vulnerable application. |
Contents |
Description
This means that you have an application installed with a serious vulnerability. The Secure ASL kernel is preventing this application from opening a hole in your system.
Some application developers configure their applications insecurely to use what is referred to as an "executable stack". An executable stack allows an attacker to inject raw code into your system, bypassing your operating systems entire security model. This is a well known and widely used method of compromising systems completely.
Configuring an application in this manner dangerously opens your system to full compromise. Very few, if any applications actually require this insecure state to operate, and even less do this in a manner that won't lead to a serious hole in your system. Many applications that do this don't need to, and cant do it securely. In most cases, configuring applications in this manner is done by the application developer in error. You can reconfigure these applications to not do this by following in the Solutions section below.
The ASL kernel protects you from this dangerous mistake by not allowing these applications to configure your system into this extremely insecure condition. You should investigate this event as it may be part of a broader attack.
Log examples
May 5 09:24:02 server3 host: grsec: From 1.2.3.4: denied marking stack executable as requested by PT_GNU_STACK marking in /usr/local/cpanel/3rdparty/php/54/zendopt/ZendGuardLoader.so by /usr/local/cpanel/whostmgr/docroot/cgi/addon_installatron.cgi[addon_installat:3705] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:3642] uid/euid:0/0 gid/egid:0/0
error while loading shared libraries: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied
Troubleshooting
Solutions
Please see this article for solutions if your application has this vulnerability:
False Positives
Please report this to support if you know this is not an attack.
Additional Information
Similar Rules
Knowledge Base Articles
None.