HIDS 61026
Rule 61026 | |
---|---|
Status | Active |
Alert Message | An application has attempted to set the stack executable, this is either an attack or a very vulnerable application. |
Contents |
Description
This means that you have an application installed with a serious vulnerability. The Secure ASL kernel is preventing this application from opening a hole in your system.
Some application developers may configured their applications insecure to use what is referred to as an "executable stack". An executable stack allows an attacker to inject raw code into your system, bypassing your operating systems entire security model. This is a well known and widely used method of compromising systems completely.
Configuring an application in this manner dangerously opens your system to full compromise. Very few, if any applications actually require this insecure state to operate, and often times configuring applications in this manner is done by the application developer in error. You can reconfigure these applications to not do this by following the process below.
The ASL kernel protects you from this dangerous mistake by not allowing these applications to configure your system into this extremely insecure condition.
You should investigate this event as it may be part of a broader attack.
Log examples
May 5 09:24:02 server3 host: grsec: From 1.2.3.4: denied marking stack executable as requested by PT_GNU_STACK marking in /usr/local/cpanel/3rdparty/php/54/zendopt/ZendGuardLoader.so by /usr/local/cpanel/whostmgr/docroot/cgi/addon_installatron.cgi[addon_installat:3705] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:3642] uid/euid:0/0 gid/egid:0/0
error while loading shared libraries: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied
Troubleshooting
Solutions
Please see this article for solutions if your application has this vulnerability:
False Positives
Please report this to support if you know this is not an attack.
Additional Information
Similar Rules
Knowledge Base Articles
None.