HIDS 61027

From Atomicorp Wiki
Revision as of 18:08, 19 January 2015 by Mshinn (Talk | contribs)

Jump to: navigation, search
Rule 61027
Status Active
Alert Message Denied a RWX mprotect event. An application just attmpted to use the mprotect function to bypass memory protection functions in the kernel.

Contents

Description

This means an application is trying to do something dangerous on your system and ASL is protecting you from this action. Please read this article for additional important information about this event.


Specifically, the ASL kernel protects your system by restricting the mprotect() system call which makes it difficult for an attacker to bypass stack protection systems. This makes it impossible for an attacker to change protection of a specific memory region, for example to mark it as executable if it wasn't originally executable, or to create a new writeable and executable memory mapping using the mmap() call. Without this feature, all the "Stack Protection and "non-executable memory regions" security features used today are more or less useless, as the attacker just change the permissions on your Stack protection to allow them to compromise the system. Unlike other systems, ASL protects you from this vulnerability.

This protection in the ASL kernel is critical to making stack protection meaningful. Therefore, if encounter this message, the application has been stopped from doing something very dangerous to your system. It may not be trying to compromise it, but it is making it much easier for an attacker to compromise your system in the future if it were allowed to do this. Therefore, you should carefully consider if you want to allow an application to do this. If you allow an application to do this you are opening your system to stack and heap based attacks through that application.

It is important then to ensure that your your application absolutely needs this capability, and that if it does and you want to allow it that you can trust the application, and that you are certain that the application is not going to be used by an attacker to compromise your system.

Applications that work with untrusted data, such as scanners and servers shouldn't be allowed to do this unless you know that they have no other vulnerabilities associated with this issue.

You should investigate this event as it may be part of a broader attack.

Note: Do not disable this rule. Disabling this rule will not disable this protection, it will however tell ASL to not inform you of these attempted compromises.

Log examples

May 5 09:24:02 host kernel: grsec: From 1.2.3.4: denied RWX mprotect of /lib64/ld-2.12.so by /usr/local/cpanel/whostmgr/docroot/cgi/addon_installatron.cgi[addon_installat:3705] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:3642] uid/euid:0/0 gid/egid:0/0

May 1 01:01:01 host kernel: grsec: From 1.2.3.4: denied RWX mprotect of /lib64/ld-2.5.so by /usr/local/cpanel/3rdparty/php/53/bin/php-cgi[php-cgi:25915] uid/euid:32003/32003 gid/egid:32003/32003, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:25913] uid/euid:32003/32003 gid/egid:32003/32003

Troubleshooting

Solutions

Please see this article for solutions if your application has this vulnerability:

https://www.atomicorp.com/wiki/index.php/ASL_error_messages#mprotect.28.29:_13_.28Permission_denied.29

False Positives

False positive are extremely rare for this rule.

If you are certain this is not an attack, or your application has not been replaced by a malicious backdoored version, please report this to support if you know this is not an attack and include the log messages along with the alert ID. Reporting just the rule ID will not provide the information we will need to help you.

Additional Information

Similar Rules

HIDS_60027

Knowledge Base Articles

None.

Personal tools