Difference between revisions of "HIDS 60027"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with " {{Infobox |header1= Rule 60027 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = >Denied a RWX mmap event. An application just attmpted to use the mprotect f...")
 
m (PHP)
 
(9 intermediate revisions by one user not shown)
Line 4: Line 4:
 
|data2 = Active
 
|data2 = Active
 
|label3 = Alert Message
 
|label3 = Alert Message
|data3 =  >Denied a RWX mmap event. An application just attmpted to use the mprotect function to bypass memory protection functions in the kernel.
+
|data3 =  Denied a RWX mmap event. An application just attempted to use the mprotect function to bypass memory protection functions in the kernel.
 
}}
 
}}
  
 
= Description =
 
= Description =
  
This means this program is attempting to either perform a dangerous operation, that could cause your system to be compromised, or someone is trying to break into your system and the ASL kernel is preventing this program from doing this.
+
This means this program is:
  
This may also occur with malicious applications, or applications that do things in a dangerous way. You can read more about this kernel protection capability in this article:
+
1) Being attacked, and the attack was stopped
 +
 
 +
2) The program is attempting to perform a dangerous operation, that could cause your system to be compromised.
 +
 
 +
In both cases, this means the ASL kernel is preventing this program from doing this and the action was stopped.  Many, and perhaps even most, computer insecurities are due to errors in programs that make it possible to alter their function, effectively allowing them to be "rewritten" while running. Specifically, this protection in the ASL kernel guarantees that this can not occur, by enforcing that memory pages will not become both writable and executable, and thus fertile ground for simple widely exploited code injection attacks.  Without this restriction, a three step exploit is possible: Inject code, ret2libc::ret2mprotect(), execute code.
 +
 
 +
This protection may also be triggered by malicious applications.  Some malicious applications are known to try to use this method to modify their code in real time, to try to evade malware in memory scanners.  
 +
 
 +
You can read more about the technical details of this kernel protection capability in this article:
  
 
http://pax.grsecurity.net/docs/mprotect.txt  
 
http://pax.grsecurity.net/docs/mprotect.txt  
You should investigate this event as it may be part of a broader attack.   
+
 
 +
'''You should investigate this event as it may be part of a broader attack.  In all cases, any application doing this is doing something dangerous on your system, and is exposing your system to potential compromise.'''
  
 
== Log examples ==  
 
== Log examples ==  
 +
 +
Jun 27 20:32:38 host kernel: grsec: From 1.2.3.4: denied RWX mmap of <anonymous mapping> by /usr/sbin/r1soft/bin/2-6/cdp-2-6[cdp-2-6:6653] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
  
 
May 5 09:24:02 host kernel: grsec: From 1.2.3.4: denied RWX mprotect of /lib64/ld-2.12.so by /usr/local/cpanel/whostmgr/docroot/cgi/addon_installatron.cgi[addon_installat:3705] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:3642] uid/euid:0/0 gid/egid:0/0
 
May 5 09:24:02 host kernel: grsec: From 1.2.3.4: denied RWX mprotect of /lib64/ld-2.12.so by /usr/local/cpanel/whostmgr/docroot/cgi/addon_installatron.cgi[addon_installat:3705] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:3642] uid/euid:0/0 gid/egid:0/0
  
May 1 01:01:01 host kernel: grsec: From 1.2.3.4: denied RWX mprotect of /lib64/ld-2.5.so by /usr/local/cpanel/3rdparty/php/53/bin/php-cgi[php-cgi:25915] uid/euid:32003/32003 gid/egid:32003/32003, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:25913] uid/euid:32003/32003 gid/egid:32003/32003  
+
May 1 01:01:01 host kernel: grsec: From 1.2.3.4: denied RWX mprotect of /lib64/ld-2.5.so by /usr/local/cpanel/3rdparty/php/53/bin/php-cgi[php-cgi:25915] uid/euid:32003/32003 gid/egid:32003/32003, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:25913] uid/euid:32003/32003 gid/egid:32003/32003
  
 
= Troubleshooting =
 
= Troubleshooting =
Line 26: Line 37:
 
== Solutions ==
 
== Solutions ==
  
Please see this article for solutions if your application has this vulnerability:
+
=== paxtest ===
 +
 
 +
Please see this article if you see this event for any '''paxtest''' events:
 +
 
 +
https://www.atomicorp.com/wiki/index.php/ASL_error_messages#grsec:_denied_RWX_mprotect
 +
 
 +
=== PHP ===
 +
 
 +
Newer versions of PHP, starting with PHP 7, may need to open this hole in your system.  The instructions below are generic and should work for most platforms, however if you have a third party apache install your commands may be different to start apache and shut down php-fpm, please contact your apache vendor assistance if the commands below do not work stop stop and start apache and php-fpm.
 +
 
 +
Step 1, Stop apache)
 +
 
 +
service httpd stop
 +
 
 +
Step 2, Stop php-fpm)
 +
 
 +
killall -9 php-fpm
 +
 
 +
Step 3, Set the flag on PHP to allow this hole to be opened on your system)
 +
 
 +
paxctl -c -m /opt/cpanel/ea-php70/root/usr/sbin/php-fpm
 +
 
 +
In the example above, the path to php-fpm is "/opt/cpanel/ea-php70/root/usr/sbin/php-fpm", this may be different on your system.  Please check the event log for the correct path to php-fpm on your system.
 +
 
 +
Step 4, restart apache)
 +
 
 +
service httpd start
 +
 
 +
Step 5, restart the php-fpm services)
 +
 
 +
service ea-php71-php-fpm restart
 +
 
 +
service ea-php70-php-fpm restart
 +
 
 +
service ea-php56-php-fpm restart
 +
 
 +
Note:  Check with your control panel to see which PHP fpm services you have enabled for your system, this is just an example for common cpanel systems.
 +
 
 +
If you need assistance, please contact support.
 +
 
 +
=== Generic ===
 +
 
 +
Please see these article for '''solutions if your application requires to be run this way, and therefore has the mmap weakness''':
  
 
https://www.atomicorp.com/wiki/index.php/ASL_error_messages#denied_RWX_mmap_of
 
https://www.atomicorp.com/wiki/index.php/ASL_error_messages#denied_RWX_mmap_of
  
Note: Java may require you to open other holes in your system. If you are attempting to fix Java, please see this article:
+
=== Java ===
 +
 
 +
Note: '''Java''' may require you to open other holes in your system. If you are attempting to allow Java to do this, please see this article:
  
 
https://www.atomicorp.com/wiki/index.php/ASL_error_messages#Java_is_stopped_by_PAX
 
https://www.atomicorp.com/wiki/index.php/ASL_error_messages#Java_is_stopped_by_PAX
Line 47: Line 102:
  
 
None.
 
None.
 +
 +
== External Articles ==
 +
 +
https://en.wikipedia.org/wiki/PaX#Restricted_mprotect.28.29

Latest revision as of 12:05, 2 June 2017

Rule 60027
Status Active
Alert Message Denied a RWX mmap event. An application just attempted to use the mprotect function to bypass memory protection functions in the kernel.

Contents

[edit] Description

This means this program is:

1) Being attacked, and the attack was stopped

2) The program is attempting to perform a dangerous operation, that could cause your system to be compromised.

In both cases, this means the ASL kernel is preventing this program from doing this and the action was stopped. Many, and perhaps even most, computer insecurities are due to errors in programs that make it possible to alter their function, effectively allowing them to be "rewritten" while running. Specifically, this protection in the ASL kernel guarantees that this can not occur, by enforcing that memory pages will not become both writable and executable, and thus fertile ground for simple widely exploited code injection attacks. Without this restriction, a three step exploit is possible: Inject code, ret2libc::ret2mprotect(), execute code.

This protection may also be triggered by malicious applications. Some malicious applications are known to try to use this method to modify their code in real time, to try to evade malware in memory scanners.

You can read more about the technical details of this kernel protection capability in this article:

http://pax.grsecurity.net/docs/mprotect.txt

You should investigate this event as it may be part of a broader attack. In all cases, any application doing this is doing something dangerous on your system, and is exposing your system to potential compromise.

[edit] Log examples

Jun 27 20:32:38 host kernel: grsec: From 1.2.3.4: denied RWX mmap of <anonymous mapping> by /usr/sbin/r1soft/bin/2-6/cdp-2-6[cdp-2-6:6653] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

May 5 09:24:02 host kernel: grsec: From 1.2.3.4: denied RWX mprotect of /lib64/ld-2.12.so by /usr/local/cpanel/whostmgr/docroot/cgi/addon_installatron.cgi[addon_installat:3705] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:3642] uid/euid:0/0 gid/egid:0/0

May 1 01:01:01 host kernel: grsec: From 1.2.3.4: denied RWX mprotect of /lib64/ld-2.5.so by /usr/local/cpanel/3rdparty/php/53/bin/php-cgi[php-cgi:25915] uid/euid:32003/32003 gid/egid:32003/32003, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:25913] uid/euid:32003/32003 gid/egid:32003/32003

[edit] Troubleshooting

[edit] Solutions

[edit] paxtest

Please see this article if you see this event for any paxtest events:

https://www.atomicorp.com/wiki/index.php/ASL_error_messages#grsec:_denied_RWX_mprotect

[edit] PHP

Newer versions of PHP, starting with PHP 7, may need to open this hole in your system. The instructions below are generic and should work for most platforms, however if you have a third party apache install your commands may be different to start apache and shut down php-fpm, please contact your apache vendor assistance if the commands below do not work stop stop and start apache and php-fpm.

Step 1, Stop apache)

service httpd stop

Step 2, Stop php-fpm)

killall -9 php-fpm

Step 3, Set the flag on PHP to allow this hole to be opened on your system)

paxctl -c -m /opt/cpanel/ea-php70/root/usr/sbin/php-fpm

In the example above, the path to php-fpm is "/opt/cpanel/ea-php70/root/usr/sbin/php-fpm", this may be different on your system. Please check the event log for the correct path to php-fpm on your system.

Step 4, restart apache)

service httpd start

Step 5, restart the php-fpm services)

service ea-php71-php-fpm restart

service ea-php70-php-fpm restart

service ea-php56-php-fpm restart

Note: Check with your control panel to see which PHP fpm services you have enabled for your system, this is just an example for common cpanel systems.

If you need assistance, please contact support.

[edit] Generic

Please see these article for solutions if your application requires to be run this way, and therefore has the mmap weakness:

https://www.atomicorp.com/wiki/index.php/ASL_error_messages#denied_RWX_mmap_of

[edit] Java

Note: Java may require you to open other holes in your system. If you are attempting to allow Java to do this, please see this article:

https://www.atomicorp.com/wiki/index.php/ASL_error_messages#Java_is_stopped_by_PAX

[edit] False Positives

Please report this to support if you know this is not an attack.

[edit] Additional Information

[edit] Similar Rules

HIDS_61027

[edit] Knowledge Base Articles

None.

[edit] External Articles

https://en.wikipedia.org/wiki/PaX#Restricted_mprotect.28.29

Personal tools