Vulnerabilities / Threats
4/14/2009
04:21 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Attack Sneaks Rootkits Into Linux Kernel

A researcher at Black Hat Europe this week will demonstrate a more stealthy way to hack Linux

Kernel rootkits are tough enough to detect, but a researcher this week has demonstrated an even sneakier method of hacking Linux.

The attack attack exploits an oft-forgotten function in Linux versions 2.4 and above in order to quietly insert a rootkit into the operating system kernel as a way to hide malware processes, hijack system calls, and open remote backdoors into the machine, for instance. At Black Hat Europe this week in Amsterdam, Anthony Lineberry, senior software engineer for Flexilis, will demonstrate how to hack the Linux kernel by exploiting the driver interface to physically addressable memory in Linux, called /dev/mem.

"One of bonuses of this [approach] is that most kernel module rootkits make a lot noise when they are inserting [the code]. This one is directly manipulating" the memory, so it's less noticeable, he says.

The /dev/mem "device" can be opened like a file, and you can read and write to it like a text file, Lineberry says. It's normally used for debugging the kernel, for instance.

Lineberry has developed a proof-of-concept attack that reads and writes to kernel memory as well as stores code inside the kernel, and he plans to release a framework at Black Hat that lets you use /dev/mem to "implement rootkit-like behaviors," he says.

The idea of abusing /dev/mem to hack the Linux kernel is not really new, he says. "People have known what you can do with these /dev/mem devices, but I have never seen any rootkits with dev/mem before," he says.

[UPDATE: But Linux experts point out that the technique Lineberry is demonstrating at Black Hat indeed been has been deployed before with the so-called SuckIT rootkit, and as far back as the late 1990s with direct kernel-object modification (DKOM) rootkits].

This method of attack is not as simple as writing a kernel module like a lot of rootkit attacks entail, however, Lineberry says. "This is a lot more tedious and requires a lot more in-depth knowledge of kernel internals and systems architecture ... But the framework enables you to leverage this a little more easily."

And the /dev/mem exploitation is just the first step in an attack on Linux. "After you've exploited a box and have root access, at that point you can use it to maintain that access and anything any rootkit can do -- hiding processes, files, and controlling network traffic," Lineberry says.

Linux system administrators typically aren't aware of the potential dangers of leaving /dev/mem exposed, he says. Lineberry says his goal is to educate them on this potential security hole. And there's now a way to defend against such an attack, too: the Linux development community recently issued a patch to locks down /dev/mem, limiting read and write access from the outside, he says.

"The problem with kernel-based rootkits is that the rootkit can mitigate [detection] because it has control," he says. "It's a race in the kernel to see who's going to see who first."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5427
Published: 2015-03-29
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read pa...

CVE-2014-5428
Published: 2015-03-29
Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integratio...

CVE-2014-9205
Published: 2015-03-29
Stack-based buffer overflow in the PmBase64Decode function in an unspecified demonstration application in MICROSYS PROMOTIC stable before 8.2.19 and PROMOTIC development before 8.3.2 allows remote attackers to execute arbitrary code by providing a large amount of data.

CVE-2015-0528
Published: 2015-03-29
The RPC daemon in EMC Isilon OneFS 6.5.x and 7.0.x before 7.0.2.13, 7.1.0 before 7.1.0.6, 7.1.1 before 7.1.1.2, and 7.2.0 before 7.2.0.1 allows local users to gain privileges by leveraging an ability to modify system files.

CVE-2015-0996
Published: 2015-03-29
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 rely on a hardcoded cleartext password to control read access to Project files and Project Configuration files, which makes it easier for local users to obtain sensitive info...

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.