From: Xiaotian Feng on
On Tue, Apr 13, 2010 at 10:52 AM, <wzt.wzt(a)gmail.com> wrote:
> Recently, most company start use >=2.6.31 kernels to replace redhat kernels.
> But the config "Filter access to /dev/mem" is "default n", that allows kernel
> rootkit using /dev/mem again. it could access all kernel memory default. Most
> administrator don't known the "Filter access to /dev/mem" is "defult N", when
> he compiles the kernel, it's easily to be attacked by rootkit.

Have you ever successfully attack by this way? If CONFIG_STRICT_DEVMEM
is not set, the /dev/mem access is filtered in pat code.

>
> Signed-off-by: Zhitong Wang <zhitong.wangzt(a)alibaba-inc.com>
>
> ---
>  arch/x86/Kconfig.debug            |    3 ++-
>  arch/x86/configs/i386_defconfig   |    2 +-
>  arch/x86/configs/x86_64_defconfig |    2 +-
>  3 files changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
> index bc01e3e..733aea6 100644
> --- a/arch/x86/Kconfig.debug
> +++ b/arch/x86/Kconfig.debug
> @@ -7,6 +7,7 @@ source "lib/Kconfig.debug"
>
>  config STRICT_DEVMEM
>        bool "Filter access to /dev/mem"
> +       default y
>        ---help---
>          If this option is disabled, you allow userspace (root) access to all
>          of memory, including kernel and userspace memory. Accidental
> @@ -20,7 +21,7 @@ config STRICT_DEVMEM
>          This is sufficient for dosemu and X and all common users of
>          /dev/mem.
>
> -         If in doubt, say Y.
> +         If in doubt, say N.
>
>  config X86_VERBOSE_BOOTUP
>        bool "Enable verbose x86 bootup info messages"
> diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig
> index d28fad1..95c85a8 100644
> --- a/arch/x86/configs/i386_defconfig
> +++ b/arch/x86/configs/i386_defconfig
> @@ -2386,7 +2386,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
>  # CONFIG_SAMPLES is not set
>  CONFIG_HAVE_ARCH_KGDB=y
>  # CONFIG_KGDB is not set
> -# CONFIG_STRICT_DEVMEM is not set
> +CONFIG_STRICT_DEVMEM=y
>  CONFIG_X86_VERBOSE_BOOTUP=y
>  CONFIG_EARLY_PRINTK=y
>  CONFIG_EARLY_PRINTK_DBGP=y
> diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig
> index 6c86acd..659bfe7 100644
> --- a/arch/x86/configs/x86_64_defconfig
> +++ b/arch/x86/configs/x86_64_defconfig
> @@ -2360,7 +2360,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
>  # CONFIG_SAMPLES is not set
>  CONFIG_HAVE_ARCH_KGDB=y
>  # CONFIG_KGDB is not set
> -# CONFIG_STRICT_DEVMEM is not set
> +CONFIG_STRICT_DEVMEM=y
>  CONFIG_X86_VERBOSE_BOOTUP=y
>  CONFIG_EARLY_PRINTK=y
>  CONFIG_EARLY_PRINTK_DBGP=y
> --
> 1.6.5.3
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo(a)vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
From: wzt wzt on
On Thu, Apr 15, 2010 at 2:12 PM, Xiaotian Feng <xtfeng(a)gmail.com> wrote:
> On Tue, Apr 13, 2010 at 10:52 AM,  <wzt.wzt(a)gmail.com> wrote:
>> Recently, most company start use >=2.6.31 kernels to replace redhat kernels.
>> But the config "Filter access to /dev/mem" is "default n", that allows kernel
>> rootkit using /dev/mem again. it could access all kernel memory default. Most
>> administrator don't known the "Filter access to /dev/mem" is "defult N", when
>> he compiles the kernel, it's easily to be attacked by rootkit.
>
> Have you ever successfully attack by this way?

[root(a)localhost zealot]# ./zealot
[+] Found HISTSIZE. [SAFE]
[+] Check md5 values. [SAFE]
[+] eth0 was not set promsic. [SAFE]
[+] Not found raw socket. [SAFE]
system_call addr changed to 0xc04028a0,sys_call_table addr changed to
0xc0675130,Found dr rootkit!,system call sys_execve addr changed to
0xc0401582,system call sys_olduname addr changed to 0xc0405989,system
call sys_fork addr changed to 0xc0407bbb

It's a host ids i wrote, it could search all kernel memory using /dev/mem. ok?

some of the code here:
static void *kmap(unsigned long off, unsigned long count)
{
int fd;
void *p;

fd = open(DEV_MEM, O_RDWR);
if (fd < 3) {
DbgPrint("open %s failed.\n", DEV_MEM);
dup2(fd, 3);
close(fd);
fd = 3;
}

p = mmap(NULL, ALIGNUP(count + 4097), PROT_READ | PROT_WRITE,
MAP_SHARED, fd, ALIGNDOWN(off) & 0x0fffffff);
if (p == MAP_FAILED)
{
mem_support_flag = 1;
fprintf(stdout, "[-] /dev/mem cannot be read or write.\n");

DbgPrint("mmap failture, errno %d\n", errno);
close(fd);
return NULL;
}

close(fd);
return p;
}

>If CONFIG_STRICT_DEVMEM
> is not set, the /dev/mem access is filtered in pat code.
please point it, thanks.

>>
>> Signed-off-by: Zhitong Wang <zhitong.wangzt(a)alibaba-inc.com>
>>
>> ---
>>  arch/x86/Kconfig.debug            |    3 ++-
>>  arch/x86/configs/i386_defconfig   |    2 +-
>>  arch/x86/configs/x86_64_defconfig |    2 +-
>>  3 files changed, 4 insertions(+), 3 deletions(-)
>>
>> diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
>> index bc01e3e..733aea6 100644
>> --- a/arch/x86/Kconfig.debug
>> +++ b/arch/x86/Kconfig.debug
>> @@ -7,6 +7,7 @@ source "lib/Kconfig.debug"
>>
>>  config STRICT_DEVMEM
>>        bool "Filter access to /dev/mem"
>> +       default y
>>        ---help---
>>          If this option is disabled, you allow userspace (root) access to all
>>          of memory, including kernel and userspace memory. Accidental
>> @@ -20,7 +21,7 @@ config STRICT_DEVMEM
>>          This is sufficient for dosemu and X and all common users of
>>          /dev/mem.
>>
>> -         If in doubt, say Y.
>> +         If in doubt, say N.
>>
>>  config X86_VERBOSE_BOOTUP
>>        bool "Enable verbose x86 bootup info messages"
>> diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig
>> index d28fad1..95c85a8 100644
>> --- a/arch/x86/configs/i386_defconfig
>> +++ b/arch/x86/configs/i386_defconfig
>> @@ -2386,7 +2386,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
>>  # CONFIG_SAMPLES is not set
>>  CONFIG_HAVE_ARCH_KGDB=y
>>  # CONFIG_KGDB is not set
>> -# CONFIG_STRICT_DEVMEM is not set
>> +CONFIG_STRICT_DEVMEM=y
>>  CONFIG_X86_VERBOSE_BOOTUP=y
>>  CONFIG_EARLY_PRINTK=y
>>  CONFIG_EARLY_PRINTK_DBGP=y
>> diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig
>> index 6c86acd..659bfe7 100644
>> --- a/arch/x86/configs/x86_64_defconfig
>> +++ b/arch/x86/configs/x86_64_defconfig
>> @@ -2360,7 +2360,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
>>  # CONFIG_SAMPLES is not set
>>  CONFIG_HAVE_ARCH_KGDB=y
>>  # CONFIG_KGDB is not set
>> -# CONFIG_STRICT_DEVMEM is not set
>> +CONFIG_STRICT_DEVMEM=y
>>  CONFIG_X86_VERBOSE_BOOTUP=y
>>  CONFIG_EARLY_PRINTK=y
>>  CONFIG_EARLY_PRINTK_DBGP=y
>> --
>> 1.6.5.3
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>> the body of a message to majordomo(a)vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at  http://www.tux.org/lkml/
>>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
From: Xiaotian Feng on
On Thu, Apr 15, 2010 at 2:17 PM, wzt wzt <wzt.wzt(a)gmail.com> wrote:
> On Thu, Apr 15, 2010 at 2:12 PM, Xiaotian Feng <xtfeng(a)gmail.com> wrote:
>> On Tue, Apr 13, 2010 at 10:52 AM,  <wzt.wzt(a)gmail.com> wrote:
>>> Recently, most company start use >=2.6.31 kernels to replace redhat kernels.
>>> But the config "Filter access to /dev/mem" is "default n", that allows kernel
>>> rootkit using /dev/mem again. it could access all kernel memory default. Most
>>> administrator don't known the "Filter access to /dev/mem" is "defult N", when
>>> he compiles the kernel, it's easily to be attacked by rootkit.
>>
>> Have you ever successfully attack by this way?
>
> [root(a)localhost zealot]# ./zealot

so you're running rootkit as a root user?

> [+] Found HISTSIZE.                             [SAFE]
> [+] Check md5 values.                           [SAFE]
> [+] eth0 was not set promsic.                   [SAFE]
> [+] Not found raw socket.                       [SAFE]
> system_call addr changed to 0xc04028a0,sys_call_table addr changed to
> 0xc0675130,Found dr rootkit!,system call sys_execve addr changed to
> 0xc0401582,system call sys_olduname addr changed to 0xc0405989,system
> call sys_fork addr changed to 0xc0407bbb
>
> It's a host ids i wrote,  it could search all kernel memory using /dev/mem. ok?
>
> some of the code here:
> static void *kmap(unsigned long off, unsigned long count)
> {
>        int fd;
>        void *p;
>
>        fd = open(DEV_MEM, O_RDWR);
>        if (fd < 3) {
>                DbgPrint("open %s failed.\n", DEV_MEM);
>                dup2(fd, 3);
>                close(fd);
>                fd = 3;
>        }
>
>        p = mmap(NULL, ALIGNUP(count + 4097), PROT_READ | PROT_WRITE,
>                MAP_SHARED, fd, ALIGNDOWN(off) & 0x0fffffff);
>        if (p == MAP_FAILED)
>        {
>                mem_support_flag = 1;
>                fprintf(stdout, "[-] /dev/mem cannot be read or write.\n");
>
>                DbgPrint("mmap failture, errno %d\n", errno);
>                close(fd);
>                return NULL;
>        }
>
>        close(fd);
>        return p;
> }
>
>>If CONFIG_STRICT_DEVMEM
>> is not set, the /dev/mem access is filtered in pat code.
> please point it, thanks.
>

Years ago, someone sent the same patch.
check http://lkml.org/lkml/2008/11/7/361

>>>
>>> Signed-off-by: Zhitong Wang <zhitong.wangzt(a)alibaba-inc.com>
>>>
>>> ---
>>>  arch/x86/Kconfig.debug            |    3 ++-
>>>  arch/x86/configs/i386_defconfig   |    2 +-
>>>  arch/x86/configs/x86_64_defconfig |    2 +-
>>>  3 files changed, 4 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
>>> index bc01e3e..733aea6 100644
>>> --- a/arch/x86/Kconfig.debug
>>> +++ b/arch/x86/Kconfig.debug
>>> @@ -7,6 +7,7 @@ source "lib/Kconfig.debug"
>>>
>>>  config STRICT_DEVMEM
>>>        bool "Filter access to /dev/mem"
>>> +       default y
>>>        ---help---
>>>          If this option is disabled, you allow userspace (root) access to all
>>>          of memory, including kernel and userspace memory. Accidental
>>> @@ -20,7 +21,7 @@ config STRICT_DEVMEM
>>>          This is sufficient for dosemu and X and all common users of
>>>          /dev/mem.
>>>
>>> -         If in doubt, say Y.
>>> +         If in doubt, say N.
>>>
>>>  config X86_VERBOSE_BOOTUP
>>>        bool "Enable verbose x86 bootup info messages"
>>> diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig
>>> index d28fad1..95c85a8 100644
>>> --- a/arch/x86/configs/i386_defconfig
>>> +++ b/arch/x86/configs/i386_defconfig
>>> @@ -2386,7 +2386,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
>>>  # CONFIG_SAMPLES is not set
>>>  CONFIG_HAVE_ARCH_KGDB=y
>>>  # CONFIG_KGDB is not set
>>> -# CONFIG_STRICT_DEVMEM is not set
>>> +CONFIG_STRICT_DEVMEM=y
>>>  CONFIG_X86_VERBOSE_BOOTUP=y
>>>  CONFIG_EARLY_PRINTK=y
>>>  CONFIG_EARLY_PRINTK_DBGP=y
>>> diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig
>>> index 6c86acd..659bfe7 100644
>>> --- a/arch/x86/configs/x86_64_defconfig
>>> +++ b/arch/x86/configs/x86_64_defconfig
>>> @@ -2360,7 +2360,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
>>>  # CONFIG_SAMPLES is not set
>>>  CONFIG_HAVE_ARCH_KGDB=y
>>>  # CONFIG_KGDB is not set
>>> -# CONFIG_STRICT_DEVMEM is not set
>>> +CONFIG_STRICT_DEVMEM=y
>>>  CONFIG_X86_VERBOSE_BOOTUP=y
>>>  CONFIG_EARLY_PRINTK=y
>>>  CONFIG_EARLY_PRINTK_DBGP=y
>>> --
>>> 1.6.5.3
>>>
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>>> the body of a message to majordomo(a)vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>> Please read the FAQ at  http://www.tux.org/lkml/
>>>
>>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
From: wzt wzt on
> so you're running rootkit as a root user?
>
rootkit always run as a root user.


>Years ago, someone sent the same patch.
>check http://lkml.org/lkml/2008/11/7/361
thanks, i read it. But nowadays >= 2.6.26 kernel became more
popular, more people start use it. When they compile the kernel, they
don't change KERNEL_HACKING option, becasue they are not kernel
prgramer.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
From: Xiaotian Feng on
On Thu, Apr 15, 2010 at 2:17 PM, wzt wzt <wzt.wzt(a)gmail.com> wrote:
> On Thu, Apr 15, 2010 at 2:12 PM, Xiaotian Feng <xtfeng(a)gmail.com> wrote:
>> On Tue, Apr 13, 2010 at 10:52 AM,  <wzt.wzt(a)gmail.com> wrote:
>>> Recently, most company start use >=2.6.31 kernels to replace redhat kernels.
>>> But the config "Filter access to /dev/mem" is "default n", that allows kernel
>>> rootkit using /dev/mem again. it could access all kernel memory default. Most
>>> administrator don't known the "Filter access to /dev/mem" is "defult N", when
>>> he compiles the kernel, it's easily to be attacked by rootkit.
>>
>> Have you ever successfully attack by this way?

I'm curious about the result if you open this option to yes.

>
> [root(a)localhost zealot]# ./zealot
> [+] Found HISTSIZE.                             [SAFE]
> [+] Check md5 values.                           [SAFE]
> [+] eth0 was not set promsic.                   [SAFE]
> [+] Not found raw socket.                       [SAFE]
> system_call addr changed to 0xc04028a0,sys_call_table addr changed to
> 0xc0675130,Found dr rootkit!,system call sys_execve addr changed to
> 0xc0401582,system call sys_olduname addr changed to 0xc0405989,system
> call sys_fork addr changed to 0xc0407bbb
>
> It's a host ids i wrote,  it could search all kernel memory using /dev/mem. ok?
>
> some of the code here:
> static void *kmap(unsigned long off, unsigned long count)
> {
>        int fd;
>        void *p;
>
>        fd = open(DEV_MEM, O_RDWR);
>        if (fd < 3) {
>                DbgPrint("open %s failed.\n", DEV_MEM);
>                dup2(fd, 3);
>                close(fd);
>                fd = 3;
>        }
>
>        p = mmap(NULL, ALIGNUP(count + 4097), PROT_READ | PROT_WRITE,
>                MAP_SHARED, fd, ALIGNDOWN(off) & 0x0fffffff);

mmap_mem in drivers/char/mem.c

if (!range_is_allowed(vma->vm_pgoff, size))
return -EPERM;

if (!phys_mem_access_prot_allowed(file, vma->vm_pgoff, size,
&vma->vm_page_prot))
return -EINVAL;

If kernel is not set CONFIG_STRICT_DEVMEM, range_is_allowed will
return 1 always, and phys_mem_access_prot_allowed is defined as weak.

In arch/x86/mm/pat.c, phys_mem_access_prot_allowed is defined, and
range_is_allowed is declared to check the mem access w/o
CONFIG_STRICT_DEVMEM, so it looks like the same as kernel w/
CONFIG_STRICT_DEVMEM.

What's the result for kernel w/ CONFIG_STRICT_DEVMEM ? does it prevent
your rootkit?

>        if (p == MAP_FAILED)
>        {
>                mem_support_flag = 1;
>                fprintf(stdout, "[-] /dev/mem cannot be read or write.\n");
>
>                DbgPrint("mmap failture, errno %d\n", errno);
>                close(fd);
>                return NULL;
>        }
>
>        close(fd);
>        return p;
> }
>
>>If CONFIG_STRICT_DEVMEM
>> is not set, the /dev/mem access is filtered in pat code.
> please point it, thanks.
>
>>>
>>> Signed-off-by: Zhitong Wang <zhitong.wangzt(a)alibaba-inc.com>
>>>
>>> ---
>>>  arch/x86/Kconfig.debug            |    3 ++-
>>>  arch/x86/configs/i386_defconfig   |    2 +-
>>>  arch/x86/configs/x86_64_defconfig |    2 +-
>>>  3 files changed, 4 insertions(+), 3 deletions(-)
>>>
>>> diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
>>> index bc01e3e..733aea6 100644
>>> --- a/arch/x86/Kconfig.debug
>>> +++ b/arch/x86/Kconfig.debug
>>> @@ -7,6 +7,7 @@ source "lib/Kconfig.debug"
>>>
>>>  config STRICT_DEVMEM
>>>        bool "Filter access to /dev/mem"
>>> +       default y
>>>        ---help---
>>>          If this option is disabled, you allow userspace (root) access to all
>>>          of memory, including kernel and userspace memory. Accidental
>>> @@ -20,7 +21,7 @@ config STRICT_DEVMEM
>>>          This is sufficient for dosemu and X and all common users of
>>>          /dev/mem.
>>>
>>> -         If in doubt, say Y.
>>> +         If in doubt, say N.
>>>
>>>  config X86_VERBOSE_BOOTUP
>>>        bool "Enable verbose x86 bootup info messages"
>>> diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig
>>> index d28fad1..95c85a8 100644
>>> --- a/arch/x86/configs/i386_defconfig
>>> +++ b/arch/x86/configs/i386_defconfig
>>> @@ -2386,7 +2386,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
>>>  # CONFIG_SAMPLES is not set
>>>  CONFIG_HAVE_ARCH_KGDB=y
>>>  # CONFIG_KGDB is not set
>>> -# CONFIG_STRICT_DEVMEM is not set
>>> +CONFIG_STRICT_DEVMEM=y
>>>  CONFIG_X86_VERBOSE_BOOTUP=y
>>>  CONFIG_EARLY_PRINTK=y
>>>  CONFIG_EARLY_PRINTK_DBGP=y
>>> diff --git a/arch/x86/configs/x86_64_defconfig b/arch/x86/configs/x86_64_defconfig
>>> index 6c86acd..659bfe7 100644
>>> --- a/arch/x86/configs/x86_64_defconfig
>>> +++ b/arch/x86/configs/x86_64_defconfig
>>> @@ -2360,7 +2360,7 @@ CONFIG_PROVIDE_OHCI1394_DMA_INIT=y
>>>  # CONFIG_SAMPLES is not set
>>>  CONFIG_HAVE_ARCH_KGDB=y
>>>  # CONFIG_KGDB is not set
>>> -# CONFIG_STRICT_DEVMEM is not set
>>> +CONFIG_STRICT_DEVMEM=y
>>>  CONFIG_X86_VERBOSE_BOOTUP=y
>>>  CONFIG_EARLY_PRINTK=y
>>>  CONFIG_EARLY_PRINTK_DBGP=y
>>> --
>>> 1.6.5.3
>>>
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>>> the body of a message to majordomo(a)vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>> Please read the FAQ at  http://www.tux.org/lkml/
>>>
>>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo(a)vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/