?? 讓你的linux桌面更安全.txt
字號:
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect) : Vulnerable
Anonymous mapping randomisation test : 9 bits (guessed)
Heap randomisation test (ET_EXEC) : No randomisation
Heap randomisation test (ET_DYN) : No randomisation
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : No randomisation
Shared library randomisation test : 10 bits (guessed)
Stack randomisation test (SEGMEXEC) : 11 bits (guessed)
Stack randomisation test (PAGEEXEC) : 11 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Vulnerable
Executable shared library data : Vulnerable
Writable text segments : Vulnerable
下面是有PaX保護(hù)的輸出。
baoz@laptop:~/kernel/paxtest-0.9.7-pre5$ ./paxtest
usage: paxtest [kiddie|blackhat]
baoz@laptop:~/kernel/paxtest-0.9.7-pre5$ ./paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
Mode: blackhat
Linux laptop 2.6.19.2 #10 Tue Jan 23 20:21:22 CST 2007 i686 GNU/Linux
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect) : Killed
Anonymous mapping randomisation test : 17 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 23 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 15 bits (guessed)
Shared library randomisation test : 17 bits (guessed)
Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
Stack randomisation test (PAGEEXEC) : 23 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Killed
從上面的信息我們可以看到,什么東西是被保護(hù)的(killed),什么東西是不被保護(hù)的(vulnerable)
b、首先我們要安裝打了補(bǔ)丁的binutils
下載bintutils和補(bǔ)丁:
打補(bǔ)?。?baoz@laptop:~/kernel$ tar xfj binutils-2.17.tar.bz2
baoz@laptop:~/kernel$ cd binutils-2.17/
baoz@laptop:~/kernel/binutils-2.17$ patch -p1 < ../binutils-2.17-pt-pax-flags-200607012130.patch
安裝:
baoz@laptop:~/kernel/binutils-2.17$ ./configure --prefix=/usr; make;sudo make install
c、調(diào)試信息
當(dāng)我們發(fā)現(xiàn)以前工作正常的程序現(xiàn)在無法運(yùn)行的時候,可能就是因?yàn)閜ax攔截了,主要包括java和xine
baoz@laptop:~$ which java
/usr/lib/jvm/java-1.5.0-sun/bin/java
baoz@laptop:~$ java
殺死
我們dmesg看看
baoz@laptop:~$ dmesg
[ 704.026090] PAX: execution attempt in: <anonymous mapping>, 44803000-4482b000 44803000
[ 704.026100] PAX: terminating task: /usr/lib/jvm/java-1.5.0-sun-1.5.0.08/jre/bin/java(java):3431, uid/euid: 1000/1000, PC: 44803040, SP: 58cea3ac
[ 704.026106] PAX: bytes at PC: 55 8b 6c 24 08 53 56 9c 58 50 8b c8 81 f0 00 00 04 00 50 9d
[ 704.026118] PAX: bytes at SP-4: 00000006 49b56d60 49bad3c0 0000000c 58cea3d0 4985ca24 00000006 ffffffff 000000c9 49baeaec 000000f4 58cea4b0 58cea408 4985c6f2 58cea3f8 58cea4b0 000000f4 08069ca0 49b91c4a 49baeaec 58cea418
這樣我們基本上可以確認(rèn)是PaX攔截了。
d、安裝paxctl特殊設(shè)置
出現(xiàn)上面的問題,給我們的使用帶來一些不方便,比如我們要運(yùn)行l(wèi)umaqq或者要用xine引擎看電影就出問題了。我們可以使用paxctl程序針對這些出問題的程序稍微設(shè)置一下,給他們點(diǎn)特權(quán)。
安裝paxctl
baoz@laptop:~$ sudo apt-get install paxctl
baoz@laptop:~$ sudo paxctl
PaX control v0.4
Copyright 2004,2005,2006 PaX Team <pageexec@freemail.hu>
usage: paxctl <options> <files>
options:
-p: disable PAGEEXEC -P: enable PAGEEXEC
-e: disable EMUTRMAP -E: enable EMUTRMAP
-m: disable MPROTECT -M: enable MPROTECT
-r: disable RANDMMAP -R: enable RANDMMAP
-x: disable RANDEXEC -X: enable RANDEXEC
-s: disable SEGMEXEC -S: enable SEGMEXEC
-v: view flags -z: restore default flags
-q: suppress error messages -Q: report flags in short format
-c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!)
-C: create PT_PAX_FLAGS (see manpage!)
看完之后有點(diǎn)郁悶,paxctl提到了manpage,但他貌似沒給我們man page。。。。。沒關(guān)系,當(dāng)回小白鼠吧,呵呵。
一般情況下我們把PT_GNU_STACK轉(zhuǎn)換成PT_PAX_FLAGS就可以用paxctl來控制了,但貌似java要Create PT_PAX_FLAGS,沒關(guān)系了,呵呵
baoz@laptop:~$ sudo paxctl -c `which java`
file /usr/lib/jvm/java-1.5.0-sun/bin/java does not have a PT_GNU_STACK program header, conversion failed
baoz@laptop:~$ sudo paxctl -C `which java`
file /usr/lib/jvm/java-1.5.0-sun/bin/java got a new PT_PAX_FLAGS program header
這個時候我們看看java程序的flags
baoz@laptop:~$ paxctl -v `which java`
PaX control v0.4
Copyright 2004,2005,2006 PaX Team <pageexec@freemail.hu>
- PaX flags: -------x-e-- [/usr/lib/jvm/java-1.5.0-sun/bin/java]
RANDEXEC is disabled
EMUTRAMP is disabled
我們現(xiàn)在修改一下pax flag,去掉mprotect標(biāo)志
baoz@laptop:~$ sudo paxctl -m `which java`
baoz@laptop:~$ paxctl -v `which java`
PaX control v0.4
Copyright 2004,2005,2006 PaX Team <pageexec@freemail.hu>
- PaX flags: -----m-x-e-- [/usr/lib/jvm/java-1.5.0-sun/bin/java]
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled
現(xiàn)在我們就可以運(yùn)行java程序了,也可以用lumaqq了,xine我們?nèi)绶ㄅ谥?,只要程序運(yùn)行不到了,我們就可以這樣操作,一個一個標(biāo)志去掉,如果嫌煩的話,我們直接加 -pemrxs好了。
下面我們針對xchat設(shè)置一下,讓他達(dá)到比較高的級別
baoz@laptop:~$ sudo paxctl -C `which xchat`
baoz@laptop:~$ sudo paxctl -v `which xchat`
PaX control v0.4
Copyright 2004,2005,2006 PaX Team <pageexec@freemail.hu>
- PaX flags: -------x-e-- [/usr/bin/xchat]
RANDEXEC is disabled
EMUTRAMP is disabled
設(shè)置到最大保護(hù)級別:
baoz@laptop:~$ sudo paxctl -REMRXS `which xchat`
baoz@laptop:~$ sudo paxctl -v `which xchat`
PaX control v0.4
Copyright 2004,2005,2006 PaX Team <pageexec@freemail.hu>
- PaX flags: --S-M-X-E-R- [/usr/bin/xchat]
SEGMEXEC is enabled
MPROTECT is enabled
RANDEXEC is enabled
EMUTRAMP is enabled
RANDMMAP is enabled
然后我們在konsole里運(yùn)行xchat,這樣我們可以看到錯誤信息,結(jié)果是xchat可以正常運(yùn)行了,如果出現(xiàn)錯誤,我們就一個一個標(biāo)志的去掉,直到可以運(yùn)行為止。
還有我們可以查看dmesg來找到錯誤的信息的 :)
為了給我自己和大家更多的DIY空間,本文就寫到這里了,下面的事情大家繼續(xù)去做 :)
說在最后的話:技術(shù)是一個無底洞,我無法保證我上面的方法一定可以讓我們的系統(tǒng)百毒不侵,其實(shí)要繞過pax的方法肯定是有的(ret2lib攻擊),不過要找到可以利用的遠(yuǎn)程漏洞并且繞過pax進(jìn)而本地提權(quán)獲得root權(quán)限,再安裝一個2.6內(nèi)核下的rootkit+backdoor呢?對linux安全有一定了解的的朋友可以知道,要實(shí)現(xiàn)剛才我說的“找到遠(yuǎn)程可利用漏洞并繞過pax”、“2.6內(nèi)核本地提權(quán)”和“2.6下的rootkit+ backdoor”這三大難關(guān)的難度是十分之高的了,其實(shí)在公開這個文章之前,我考慮過一下,如果我發(fā)布了,對我有興趣的朋友是否可以做出有針對性的攻擊呢,后來想想,我多慮了,如果真的有這樣的超級牛人對我的系統(tǒng)感興趣,被黑了也就認(rèn)了,呵呵。linux不象windows,我們在windows里鬼鬼祟祟的,自己安裝了什么殺毒軟件,安裝了什么防火墻,安裝了什么入侵檢測系統(tǒng),安裝了什么完整性檢查程序,基本上是不能讓別人知道的,因?yàn)檫@樣別人就可以對你進(jìn)行有針對性的攻擊,要知道,在windows下過一個防火墻或者殺毒軟件,并不是什么難事,門檻根本不高的,我曾經(jīng)向一個安全界著名AV人士請教,他告訴我,即使是殺毒軟件,也十分可能遭到溢出攻擊,特別是一些自動脫殼腳本,處理的不好就有可能出現(xiàn)問題的,就是說殺毒軟件有可能在查殺病毒的時候就被溢出攻擊了,不過貌似這樣的漏洞還沒有發(fā)布出來的,但我們無法肯定這個東西是否存在,還是那句話,技術(shù)永遠(yuǎn)是一個無底洞,只有更安全,沒有最安全?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -