News, tips, partners, and perspectives for the Oracle Linux operating system and upstream Linux kernel work
-
Technologies
April 18, 2019
Using Ksplice To Detect Exploit Attempts
Ksplice is a very cool technology. Ksplice allows you to patch important security updates to your system without a reboot. The in-memory code is patched as well as on-disk components, closing all the gaps for a security vulnerability. All the while, your applications keep running.
A new feature of Ksplice is Known Exploit Detection. When you patch your system with Ksplice, not only is the security vulnerability closed, but also tripwires are laid down for privilege escalation vulnerabilities. If an attacker attempts to exploit a CVE you’ve patched, Ksplice notifies you.
Ksplice is both protecting your system and alerting you to suspicious activity. Very cool.
Installing & Enabling Known Exploit Detection
Known Exploit Detection is available in Oracle Linux with the Unbreakable Enterprise Kernel (UEK) by installing the ksplice-known-exploit-detection RPM. Packages are available for UEK5 and UEK4 now. UEK3 and UEK2 will follow in the near future.
Install the RPM
# yum install -y ksplice-known-exploit-detection Resolving Dependencies --> Running transaction check ---> Package ksplice-known-exploit-detection.x86_64 0:1.0.37-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved =============================================================================================================== Package Arch Version Repository Size =============================================================================================================== Installing: ksplice-known-exploit-detection x86_64 1.0.37-1.el7 usplice-devel 8.0 k Transaction Summary =============================================================================================================== Install 1 Package Total download size: 8.0 k Installed size: 4.2 k Downloading packages: ksplice-known-exploit-detection-1.0.37-1.el7.x86_64.rpm | 8.0 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : ksplice-known-exploit-detection-1.0.37-1.el7.x86_64 1/1 Verifying : ksplice-known-exploit-detection-1.0.37-1.el7.x86_64 1/1 Installed: ksplice-known-exploit-detection.x86_64 0:1.0.37-1.el7 Complete!
Configure Ksplice To Enable The Feature
Next, edit /etc/uptrack/uptrack.conf and add the following lines to enable the Known Exploit Detection feature.
[Known-Exploit-Detection]
enabled = yes
Activate The Feature
Finally, activate the feature by running the kernel upgrade command:
# ksplice kernel upgrade
The following steps will be taken:
Install [4qu6sl1z] Known exploit detection.
Install [fjrhf1fw] Known exploit detection for CVE-2017-7308.
Go ahead [y/N]? y
Installing [4qu6sl1z] Known exploit detection.
Installing [fjrhf1fw] Known exploit detection for CVE-2017-7308.
Your kernel is fully up to date.
Effective kernel version is 4.1.12-112.14.2.el7uek
Yes, you just read that right. Ksplice is used to hot patch in a new Ksplice feature.
You can also verify Known Exploit Detection is active for the currently running kernel:
# cat /proc/sys/kernel/known_exploit_detection
1
Let’s have a deeper look at what an example exploit and how unpatched and patched kernel react to an attempted breach.
An Example Exploit
For this article, we’ll look at CVE-2017-7308. This is a vulnerability in packet_set_ring() function in the kernel, found and documented (in great detail!) by Andrey Konovalov. The short version: you create an AF_PACKET socket and set the ring buffer size to an invalid value which is not sanity checked by the kernel. This causes a "heap out of bounds" write which allows an attacker to gain root access.
With a little tweaking, the publicly available exploit can be made to work against UEK4. Let's look at this exploit being run in a few scenarios:
- An older, unpatched UEK4 kernel
- A UEK4 kernel patched by Ksplice
- A UEK4 kernel patched by Ksplice with Known Exploit Detection
An older, unpatched UEK4
First, the exploit is executed against an older UEK4 kernel that is vulnerable to this bug.
$ uname -a
Linux ol-7-sys 4.1.12-61.1.27.el7uek.x86_64 #2 SMP Fri Feb 3 12:31:56 PST 2017 x86_64 x86_64 x86_64 GNU/Linux
$ gcc poc.c
$ ./a.out
[.] starting
[.] namespace sandbox set up
[.] commit_creds: ffffffff810a78a0
[.] prepare_kernel_cred: ffffffff810a7bc0
[.] padding heap
[.] done, heap is padded
[.] executing get root payload 0x4013b0
[.] done, should be root now
[.] checking if we got root
[+] got r00t ^_^
# id
uid=0(root) gid=0(root) groups=0(root)
Since this old kernel is vulnerable, the attacker gains root access.
A UEK4 Kernel Patched By Ksplice
After a kernel is patched by Ksplice to address the vulnerability, attempts to exploit the bug fail.
$ ./a.out
[.] starting
[.] namespace sandbox set up
[.] commit_creds: ffffffff810a78a0
[.] prepare_kernel_cred: ffffffff810a7bc0
[.] padding heap
[.] done, heap is padded
[.] executing get root payload 0x4013b0
[-] setsockopt(PACKET_RX_RING): Invalid argument
Attack thwarted! Now, what about reporting this attempted breach.
A UEK4 kernel patched by Ksplice with Known Exploit Detection
With Known Exploit Detection enabled, not only is the security breach prevented, the attempted breach is logged to notify administrators there is an attacker on the system.
$ ./a.out
[.] starting
[.] namespace sandbox set up
[.] commit_creds: ffffffff810a78a0
[.] prepare_kernel_cred: ffffffff810a7bc0
[.] padding heap
[.] done, heap is padded
[.] executing get root payload 0x4013b0
[-] setsockopt(PACKET_RX_RING): Invalid argument
# dmesg | tail
[17445.172025] ksplice: Update 4qu6sl1z applied successfully
[17445.550689] ksplice: Update fjrhf1fw applied successfully
# journalctl | tail
Apr 02 13:36:09 ol-7-sys kernel: ksplice: Update 4qu6sl1z applied successfully
Apr 02 13:36:10 ol-7-sys kernel: ksplice: Update fjrhf1fw applied successfully
Apr 02 13:36:16 ol-7-sys log-known-exploit[22360]: exploit attempt detected; id=CVE-2017-7308 pid=22358 uid=1001 comm=a.out lost=0
The patched kernel is again not vulnerable to the CVE so the exploit fails. Also notice that Ksplice Known Exploit Detection reports the PID, UID, command, and CVE of the attempted breach into the journal file. The journal is only available to privileged users. It is also possible to configure email alerts for exploit detection. Please refer to the Ksplice Users's Guide for additional details.
Conclusion
Known Exploit Detection is another way Ksplice secures your system. Ksplice continues to close down vulnerabilities with zero downtime. And now you have the added security of being notified when attempted privilege escalation attacks are taken on your system.
If you aren't already using Ksplice, why not give it a go? Oracle Linux instances in OCI come preconfigured with Ksplice, and for all other uses, please visit the Ksplice website to learn how to get started in a few minutes.