HIDS 60027
Rule 60027 | |
---|---|
Status | Active |
Alert Message | Denied a RWX mmap event. An application just attempted to use the mprotect function to bypass memory protection functions in the kernel. |
Contents |
Description
This means this program is:
1) Being attacked, and the attack was stopped
2) The program is attempting to either perform a dangerous operation, that could cause your system to be compromised
In both cases, this means the ASL kernel is preventing this program from doing this and the action was stopped. Specifically, this protection in the ASL kernel guarantees that memory pages will not become both writable and executable, and thus fertile ground for simple widely exploited code injection attacks. Without this restriction, a three step exploit is possible: Inject code, ret2libc::ret2mprotect(), execute code.
This protection may also be triggered by malicious applications. Some malicious applications are known to try to use this method to modify their code in real time, to try to evade malware in memory scanners.
You can read more about the technical details of this kernel protection capability in this article:
http://pax.grsecurity.net/docs/mprotect.txt
You should investigate this event as it may be part of a broader attack. In all cases, any application doing this is doing something dangerous on your system, and is exposing your system to potential compromise.
Log examples
Jun 27 20:32:38 host kernel: grsec: From 1.2.3.4: denied RWX mmap of <anonymous mapping> by /usr/sbin/r1soft/bin/2-6/cdp-2-6[cdp-2-6:6653] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
May 5 09:24:02 host kernel: grsec: From 1.2.3.4: denied RWX mprotect of /lib64/ld-2.12.so by /usr/local/cpanel/whostmgr/docroot/cgi/addon_installatron.cgi[addon_installat:3705] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:3642] uid/euid:0/0 gid/egid:0/0
May 1 01:01:01 host kernel: grsec: From 1.2.3.4: denied RWX mprotect of /lib64/ld-2.5.so by /usr/local/cpanel/3rdparty/php/53/bin/php-cgi[php-cgi:25915] uid/euid:32003/32003 gid/egid:32003/32003, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:25913] uid/euid:32003/32003 gid/egid:32003/32003
Troubleshooting
Solutions
Please see this article if you see this event for any paxtest events:
https://www.atomicorp.com/wiki/index.php/ASL_error_messages#grsec:_denied_RWX_mprotect
Please see these article for solutions if your application has this vulnerability:
https://www.atomicorp.com/wiki/index.php/ASL_error_messages#denied_RWX_mmap_of
Note: Java may require you to open other holes in your system. If you are attempting to fix Java, please see this article:
https://www.atomicorp.com/wiki/index.php/ASL_error_messages#Java_is_stopped_by_PAX
False Positives
Please report this to support if you know this is not an attack.
Additional Information
Similar Rules
Knowledge Base Articles
None.