HIDS 61027
Rule 61027 | |
---|---|
Status | Active |
Alert Message | Denied a RWX mprotect event. An application just attmpted to use the mprotect function to bypass memory protection functions in the kernel. |
Contents |
Description
This means an application is trying to do something dangerous on your system. Specifically, the ASL kernel protects your system by restricting the mprotect() system call which makes it difficult for an attacker to bypass stack protection systems. This makes it impossible for an attacker to change protection of a specific memory region, for example to mark it as executable if it wasn't originally executable, or to create a new writeable and executable memory mapping using the mmap() call. Without this feature, all the "Stack Protection and "non-executable memory regions" security features used today are more or less useless, as the attacker just change the permissions on your Stack protection to allow them to compromise the system. Unlike other systems, ASL protects you from this vulnerability.
This protection in the ASL kernel is critical to making stack protection meaningful. Therefore, if encounter this message, the application has been stopped from doing something very dangerous to your system. It may not be trying to compromise it, but it is making it much easier for an attacker to compromise your system in the future if it were allowed to do this. Therefore, you should carefully consider if you want to allow an application to do this. If you allow an application to do this you are opening your system to stack and heap based attacks through that application.
It is important then to ensure that your your application absolutely needs this capability, and that if it does and you want to allow it that you can trust the application, and that you are certain that the application is not going to be used by an attacker to compromise your system.
Applications that work with untrusted data, such as scanners and servers shouldn't be allowed to do this unless you know that they have no other vulnerabilities associated with this issue.
You should investigate this event as it may be part of a broader attack.
Log examples
May 5 09:24:02 host kernel: grsec: From 1.2.3.4: denied RWX mprotect of /lib64/ld-2.12.so by /usr/local/cpanel/whostmgr/docroot/cgi/addon_installatron.cgi[addon_installat:3705] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:3642] uid/euid:0/0 gid/egid:0/0
May 1 01:01:01 host kernel: grsec: From 1.2.3.4: denied RWX mprotect of /lib64/ld-2.5.so by /usr/local/cpanel/3rdparty/php/53/bin/php-cgi[php-cgi:25915] uid/euid:32003/32003 gid/egid:32003/32003, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:25913] uid/euid:32003/32003 gid/egid:32003/32003
Troubleshooting
Solutions
Please see this article for solutions if your application has this vulnerability:
False Positives
Please report this to support if you know this is not an attack.
Additional Information
Similar Rules
[HIDS_60128]]
Knowledge Base Articles
None.