📄 让你的linux桌面更安全.txt
字号:
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Executable stack (mprotect) : Vulnerable
Anonymous mapping randomisation test : 9 bits (guessed)
Heap randomisation test (ET_EXEC) : No randomisation
Heap randomisation test (ET_DYN) : No randomisation
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : No randomisation
Shared library randomisation test : 10 bits (guessed)
Stack randomisation test (SEGMEXEC) : 11 bits (guessed)
Stack randomisation test (PAGEEXEC) : 11 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Vulnerable
Executable shared library data : Vulnerable
Writable text segments : Vulnerable
下面是有PaX保护的输出。
baoz@laptop:~/kernel/paxtest-0.9.7-pre5$ ./paxtest
usage: paxtest [kiddie|blackhat]
baoz@laptop:~/kernel/paxtest-0.9.7-pre5$ ./paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later
Mode: blackhat
Linux laptop 2.6.19.2 #10 Tue Jan 23 20:21:22 CST 2007 i686 GNU/Linux
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect) : Killed
Anonymous mapping randomisation test : 17 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 23 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : 15 bits (guessed)
Shared library randomisation test : 17 bits (guessed)
Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
Stack randomisation test (PAGEEXEC) : 23 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Killed
从上面的信息我们可以看到,什么东西是被保护的(killed),什么东西是不被保护的(vulnerable)
b、首先我们要安装打了补丁的binutils
下载bintutils和补丁:
打补丁:
baoz@laptop:~/kernel$ tar xfj binutils-2.17.tar.bz2
baoz@laptop:~/kernel$ cd binutils-2.17/
baoz@laptop:~/kernel/binutils-2.17$ patch -p1 < ../binutils-2.17-pt-pax-flags-200607012130.patch
安装:
baoz@laptop:~/kernel/binutils-2.17$ ./configure --prefix=/usr; make;sudo make install
c、调试信息
当我们发现以前工作正常的程序现在无法运行的时候,可能就是因为pax拦截了,主要包括java和xine
baoz@laptop:~$ which java
/usr/lib/jvm/java-1.5.0-sun/bin/java
baoz@laptop:~$ java
杀死
我们dmesg看看
baoz@laptop:~$ dmesg
[ 704.026090] PAX: execution attempt in: <anonymous mapping>, 44803000-4482b000 44803000
[ 704.026100] PAX: terminating task: /usr/lib/jvm/java-1.5.0-sun-1.5.0.08/jre/bin/java(java):3431, uid/euid: 1000/1000, PC: 44803040, SP: 58cea3ac
[ 704.026106] PAX: bytes at PC: 55 8b 6c 24 08 53 56 9c 58 50 8b c8 81 f0 00 00 04 00 50 9d
[ 704.026118] PAX: bytes at SP-4: 00000006 49b56d60 49bad3c0 0000000c 58cea3d0 4985ca24 00000006 ffffffff 000000c9 49baeaec 000000f4 58cea4b0 58cea408 4985c6f2 58cea3f8 58cea4b0 000000f4 08069ca0 49b91c4a 49baeaec 58cea418
这样我们基本上可以确认是PaX拦截了。
d、安装paxctl特殊设置
出现上面的问题,给我们的使用带来一些不方便,比如我们要运行lumaqq或者要用xine引擎看电影就出问题了。我们可以使用paxctl程序针对这些出问题的程序稍微设置一下,给他们点特权。
安装paxctl
baoz@laptop:~$ sudo apt-get install paxctl
baoz@laptop:~$ sudo paxctl
PaX control v0.4
Copyright 2004,2005,2006 PaX Team <pageexec@freemail.hu>
usage: paxctl <options> <files>
options:
-p: disable PAGEEXEC -P: enable PAGEEXEC
-e: disable EMUTRMAP -E: enable EMUTRMAP
-m: disable MPROTECT -M: enable MPROTECT
-r: disable RANDMMAP -R: enable RANDMMAP
-x: disable RANDEXEC -X: enable RANDEXEC
-s: disable SEGMEXEC -S: enable SEGMEXEC
-v: view flags -z: restore default flags
-q: suppress error messages -Q: report flags in short format
-c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!)
-C: create PT_PAX_FLAGS (see manpage!)
看完之后有点郁闷,paxctl提到了manpage,但他貌似没给我们man page。。。。。没关系,当回小白鼠吧,呵呵。
一般情况下我们把PT_GNU_STACK转换成PT_PAX_FLAGS就可以用paxctl来控制了,但貌似java要Create PT_PAX_FLAGS,没关系了,呵呵
baoz@laptop:~$ sudo paxctl -c `which java`
file /usr/lib/jvm/java-1.5.0-sun/bin/java does not have a PT_GNU_STACK program header, conversion failed
baoz@laptop:~$ sudo paxctl -C `which java`
file /usr/lib/jvm/java-1.5.0-sun/bin/java got a new PT_PAX_FLAGS program header
这个时候我们看看java程序的flags
baoz@laptop:~$ paxctl -v `which java`
PaX control v0.4
Copyright 2004,2005,2006 PaX Team <pageexec@freemail.hu>
- PaX flags: -------x-e-- [/usr/lib/jvm/java-1.5.0-sun/bin/java]
RANDEXEC is disabled
EMUTRAMP is disabled
我们现在修改一下pax flag,去掉mprotect标志
baoz@laptop:~$ sudo paxctl -m `which java`
baoz@laptop:~$ paxctl -v `which java`
PaX control v0.4
Copyright 2004,2005,2006 PaX Team <pageexec@freemail.hu>
- PaX flags: -----m-x-e-- [/usr/lib/jvm/java-1.5.0-sun/bin/java]
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled
现在我们就可以运行java程序了,也可以用lumaqq了,xine我们如法炮制,只要程序运行不到了,我们就可以这样操作,一个一个标志去掉,如果嫌烦的话,我们直接加 -pemrxs好了。
下面我们针对xchat设置一下,让他达到比较高的级别
baoz@laptop:~$ sudo paxctl -C `which xchat`
baoz@laptop:~$ sudo paxctl -v `which xchat`
PaX control v0.4
Copyright 2004,2005,2006 PaX Team <pageexec@freemail.hu>
- PaX flags: -------x-e-- [/usr/bin/xchat]
RANDEXEC is disabled
EMUTRAMP is disabled
设置到最大保护级别:
baoz@laptop:~$ sudo paxctl -REMRXS `which xchat`
baoz@laptop:~$ sudo paxctl -v `which xchat`
PaX control v0.4
Copyright 2004,2005,2006 PaX Team <pageexec@freemail.hu>
- PaX flags: --S-M-X-E-R- [/usr/bin/xchat]
SEGMEXEC is enabled
MPROTECT is enabled
RANDEXEC is enabled
EMUTRAMP is enabled
RANDMMAP is enabled
然后我们在konsole里运行xchat,这样我们可以看到错误信息,结果是xchat可以正常运行了,如果出现错误,我们就一个一个标志的去掉,直到可以运行为止。
还有我们可以查看dmesg来找到错误的信息的 :)
为了给我自己和大家更多的DIY空间,本文就写到这里了,下面的事情大家继续去做 :)
说在最后的话:技术是一个无底洞,我无法保证我上面的方法一定可以让我们的系统百毒不侵,其实要绕过pax的方法肯定是有的(ret2lib攻击),不过要找到可以利用的远程漏洞并且绕过pax进而本地提权获得root权限,再安装一个2.6内核下的rootkit+backdoor呢?对linux安全有一定了解的的朋友可以知道,要实现刚才我说的“找到远程可利用漏洞并绕过pax”、“2.6内核本地提权”和“2.6下的rootkit+ backdoor”这三大难关的难度是十分之高的了,其实在公开这个文章之前,我考虑过一下,如果我发布了,对我有兴趣的朋友是否可以做出有针对性的攻击呢,后来想想,我多虑了,如果真的有这样的超级牛人对我的系统感兴趣,被黑了也就认了,呵呵。linux不象windows,我们在windows里鬼鬼祟祟的,自己安装了什么杀毒软件,安装了什么防火墙,安装了什么入侵检测系统,安装了什么完整性检查程序,基本上是不能让别人知道的,因为这样别人就可以对你进行有针对性的攻击,要知道,在windows下过一个防火墙或者杀毒软件,并不是什么难事,门槛根本不高的,我曾经向一个安全界著名AV人士请教,他告诉我,即使是杀毒软件,也十分可能遭到溢出攻击,特别是一些自动脱壳脚本,处理的不好就有可能出现问题的,就是说杀毒软件有可能在查杀病毒的时候就被溢出攻击了,不过貌似这样的漏洞还没有发布出来的,但我们无法肯定这个东西是否存在,还是那句话,技术永远是一个无底洞,只有更安全,没有最安全⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -