https://wiki.atomicorp.com/wiki/index.php?title=HIDS_61026&feed=atom&action=historyHIDS 61026 - Revision history2024-03-29T13:58:43ZRevision history for this page on the wikiMediaWiki 1.20.2https://wiki.atomicorp.com/wiki/index.php?title=HIDS_61026&diff=4843&oldid=prevMshinn: /* Description */2014-05-05T18:23:14Z<p><span dir="auto"><span class="autocomment">Description</span></span></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 18:23, 5 May 2014</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 11:</td>
<td colspan="2" class="diff-lineno">Line 11:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This means that you have an application installed with a serious vulnerability. The Secure ASL kernel is preventing this application from opening a hole in your system.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This means that you have an application installed with a serious vulnerability. The Secure ASL kernel is preventing this application from opening a hole in your system.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>Some application developers <del class="diffchange diffchange-inline">may configured </del>their applications <del class="diffchange diffchange-inline">insecure </del>to use what is referred to as an "executable stack". An executable stack allows an attacker to inject raw code into your system, bypassing your operating systems entire security model. This is a well known and widely used method of compromising systems completely.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>Some application developers <ins class="diffchange diffchange-inline">configure </ins>their applications <ins class="diffchange diffchange-inline">insecurely </ins>to use what is referred to as an "executable stack". An executable stack allows an attacker to inject raw code into your system, bypassing your operating systems entire security model. This is a well known and widely used method of compromising systems completely.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>Configuring an application in this manner dangerously opens your system to full compromise. Very few, if any applications actually require this insecure state to operate, and <del class="diffchange diffchange-inline">often times </del>configuring applications in this manner is done by the application developer in error. You can reconfigure these applications to not do this by following the <del class="diffchange diffchange-inline">process </del>below.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>Configuring an application in this manner dangerously opens your system to full compromise. Very few, if any applications actually require this insecure state to operate, and <ins class="diffchange diffchange-inline">even less do this in a manner that won't lead to a serious hole in your system.  Many applications that do this don't need to, and cant do it securely.  In most cases, </ins>configuring applications in this manner is done by the application developer in error. You can reconfigure these applications to not do this by following <ins class="diffchange diffchange-inline">in </ins>the <ins class="diffchange diffchange-inline">Solutions section </ins>below.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>The ASL kernel protects you from this dangerous mistake by not allowing these applications to configure your system into this extremely insecure condition.  </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>The ASL kernel protects you from this dangerous mistake by not allowing these applications to configure your system into this extremely insecure condition. <ins class="diffchange diffchange-inline"> </ins>You should investigate this event as it may be part of a broader attack.   </div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>You should investigate this event as it may be part of a broader attack.   </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== Log examples ==  </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== Log examples ==  </div></td></tr>
<tr><td colspan="2" class="diff-lineno">Line 23:</td>
<td colspan="2" class="diff-lineno">Line 21:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>''May 5 09:24:02 server3 host: grsec: From 1.2.3.4: denied marking stack executable as requested by PT_GNU_STACK marking in /usr/local/cpanel/3rdparty/php/54/zendopt/ZendGuardLoader.so by /usr/local/cpanel/whostmgr/docroot/cgi/addon_installatron.cgi[addon_installat:3705] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:3642] uid/euid:0/0 gid/egid:0/0''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>''May 5 09:24:02 server3 host: grsec: From 1.2.3.4: denied marking stack executable as requested by PT_GNU_STACK marking in /usr/local/cpanel/3rdparty/php/54/zendopt/ZendGuardLoader.so by /usr/local/cpanel/whostmgr/docroot/cgi/addon_installatron.cgi[addon_installat:3705] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:3642] uid/euid:0/0 gid/egid:0/0''</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>''error while loading shared libraries: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied''  </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>''error while loading shared libraries: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied''</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>= Troubleshooting =</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>= Troubleshooting =</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=HIDS_61026&diff=4842&oldid=prevMshinn: Created page with "{{Infobox |header1= Rule 61026 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = An application has attempted to set the stack executable, this is either an ..."2014-05-05T18:20:21Z<p>Created page with "{{Infobox |header1= Rule 61026 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = An application has attempted to set the stack executable, this is either an ..."</p>
<p><b>New page</b></p><div>{{Infobox<br />
|header1= Rule 61026<br />
|label2 = Status<br />
|data2 = Active<br />
|label3 = Alert Message<br />
|data3 = An application has attempted to set the stack executable, this is either an attack or a very vulnerable application.<br />
}}<br />
<br />
= Description =<br />
<br />
This means that you have an application installed with a serious vulnerability. The Secure ASL kernel is preventing this application from opening a hole in your system.<br />
<br />
Some application developers may configured their applications insecure to use what is referred to as an "executable stack". An executable stack allows an attacker to inject raw code into your system, bypassing your operating systems entire security model. This is a well known and widely used method of compromising systems completely.<br />
<br />
Configuring an application in this manner dangerously opens your system to full compromise. Very few, if any applications actually require this insecure state to operate, and often times configuring applications in this manner is done by the application developer in error. You can reconfigure these applications to not do this by following the process below.<br />
<br />
The ASL kernel protects you from this dangerous mistake by not allowing these applications to configure your system into this extremely insecure condition. <br />
<br />
You should investigate this event as it may be part of a broader attack. <br />
<br />
== Log examples == <br />
<br />
''May 5 09:24:02 server3 host: grsec: From 1.2.3.4: denied marking stack executable as requested by PT_GNU_STACK marking in /usr/local/cpanel/3rdparty/php/54/zendopt/ZendGuardLoader.so by /usr/local/cpanel/whostmgr/docroot/cgi/addon_installatron.cgi[addon_installat:3705] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:3642] uid/euid:0/0 gid/egid:0/0''<br />
<br />
''error while loading shared libraries: libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: Permission denied'' <br />
<br />
= Troubleshooting =<br />
<br />
== Solutions ==<br />
<br />
Please see this article for solutions if your application has this vulnerability:<br />
<br />
https://www.atomicorp.com/wiki/index.php/ASL_error_messages#cannot_enable_executable_stack_as_shared_object_requires<br />
<br />
== False Positives ==<br />
<br />
Please report this to support if you know this is not an attack.<br />
<br />
= Additional Information =<br />
<br />
== Similar Rules ==<br />
<br />
[[HIDS_60027]]<br />
<br />
== Knowledge Base Articles== <br />
<br />
None.</div>Mshinn