News, tips, partners, and perspectives for the Oracle Linux operating system and upstream Linux kernel work

Build, test and deploy on Oracle Cloud. Start now.

Technologies / Ksplice, Technologies
April 18, 2019

Using Ksplice To Detect Exploit Attempts

Jamie Iles

Ksplice is a very cool technology. Ksplice allows you to patch important security updates to your system without a reboot. The in-memory code is patched as well as on-disk components, closing all the gaps for a security vulnerability. All the while, your applications keep running.

A new feature of Ksplice is Known Exploit Detection. When you patch your system with Ksplice, not only is the security vulnerability closed, but also tripwires are laid down for privilege escalation vulnerabilities. If an attacker attempts to exploit a CVE you’ve patched, Ksplice notifies you.

Ksplice is both protecting your system and alerting you to suspicious activity. Very cool.

Installing & Enabling Known Exploit Detection

Known Exploit Detection is available in Oracle Linux with the Unbreakable Enterprise Kernel (UEK) by installing the ksplice-known-exploit-detection RPM. Packages are available for UEK5 and UEK4 now. UEK3 and UEK2 will follow in the near future.

Install the RPM

# yum install -y ksplice-known-exploit-detection
Resolving Dependencies
--> Running transaction check
---> Package ksplice-known-exploit-detection.x86_64 0:1.0.37-1.el7 will be installed
--> Finished Dependency Resolution
 
Dependencies Resolved
 
===============================================================================================================
 Package                               Arch         Version                          Repository           Size
===============================================================================================================
Installing:
 ksplice-known-exploit-detection       x86_64       1.0.37-1.el7                     usplice-devel       8.0 k
 
Transaction Summary
===============================================================================================================
Install  1 Package
 
Total download size: 8.0 k
Installed size: 4.2 k
Downloading packages:
ksplice-known-exploit-detection-1.0.37-1.el7.x86_64.rpm                    | 8.0 kB  00:00:00    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : ksplice-known-exploit-detection-1.0.37-1.el7.x86_64                            1/1
  Verifying  : ksplice-known-exploit-detection-1.0.37-1.el7.x86_64                            1/1
 
Installed:
  ksplice-known-exploit-detection.x86_64 0:1.0.37-1.el7                                          
 
Complete!

Configure Ksplice To Enable The Feature

Next, edit /etc/uptrack/uptrack.conf and add the following lines to enable the Known Exploit Detection feature.


[Known-Exploit-Detection]
enabled = yes

Activate The Feature

Finally, activate the feature by running the kernel upgrade command:


# ksplice kernel upgrade
The following steps will be taken:
Install [4qu6sl1z] Known exploit detection.
Install [fjrhf1fw] Known exploit detection for CVE-2017-101234.
 
Go ahead [y/N]? y
Installing [4qu6sl1z] Known exploit detection.
Installing [fjrhf1fw] Known exploit detection for CVE-2017-101234.
Your kernel is fully up to date.
Effective kernel version is 4.1.12-112.14.2.el7uek

Yes, you just read that right. Ksplice is used to hot patch in a new Ksplice feature.

You can also verify Known Exploit Detection is active for the currently running kernel:


# cat /proc/sys/kernel/known_exploit_detection
1

Let’s have a deeper look at what an example exploit and how unpatched and patched kernel react to an attempted breach.

An Example Exploit

Let's look at this exploit being run in a few scenarios:

An older, unpatched UEK4 kernel
A UEK4 kernel patched by Ksplice
A UEK4 kernel patched by Ksplice with Known Exploit Detection

An older, unpatched UEK4

First, the exploit is executed against an older UEK4 kernel that is vulnerable to this bug.


$ uname -a
Linux ol-7-sys 4.1.12-61.1.27.el7uek.x86_64 #2 SMP Fri Feb 3 12:31:56 PST 2017 x86_64 x86_64 x86_64 GNU/Linux
 
$ gcc poc.c
$ ./a.out
[.] starting
[.] namespace sandbox set up
[.] padding heap
[.] done, heap is padded
[.] executing get root payload 0x4013b0
[.] done, should be root now
[.] checking if we got root
[+] got r00t ^_^
 
# id
uid=0(root) gid=0(root) groups=0(root)

Since this old kernel is vulnerable, the attacker gains root access.

A UEK4 Kernel Patched By Ksplice

After a kernel is patched by Ksplice to address the vulnerability, attempts to exploit the bug fail.


$ ./a.out
[.] starting
[.] namespace sandbox set up
[.] padding heap
[.] done, heap is padded
[.] executing get root payload 0x4013b0
[-] setsockopt(PACKET_RX_RING): Invalid argument

Attack thwarted! Now, what about reporting this attempted breach.

A UEK4 kernel patched by Ksplice with Known Exploit Detection

With Known Exploit Detection enabled, not only is the security breach prevented, the attempted breach is logged to notify administrators there is an attacker on the system.


$ ./a.out
[.] starting
[.] namespace sandbox set up
[.] padding heap
[.] done, heap is padded
[.] executing get root payload 0x4013b0
[-] setsockopt(PACKET_RX_RING): Invalid argument
 
 
# dmesg | tail
[17445.172025] ksplice: Update 4qu6sl1z applied successfully
[17445.550689] ksplice: Update fjrhf1fw applied successfully
 
# journalctl | tail
Apr 02 13:36:09 ol-7-sys kernel: ksplice: Update 4qu6sl1z applied successfully
Apr 02 13:36:10 ol-7-sys kernel: ksplice: Update fjrhf1fw applied successfully
Apr 02 13:36:16 ol-7-sys log-known-exploit[22360]: exploit attempt detected; id=CVE-2017-101234 pid=22358 uid=1001 comm=a.out lost=0

The patched kernel is again not vulnerable to the CVE so the exploit fails. Also notice that Ksplice Known Exploit Detection reports the PID, UID, command, and CVE of the attempted breach into the journal file. The journal is only available to privileged users. It is also possible to configure email alerts for exploit detection. Please refer to the Ksplice Users's Guide for additional details.

Conclusion

Known Exploit Detection is another way Ksplice secures your system. Ksplice continues to close down vulnerabilities with zero downtime. And now you have the added security of being notified when attempted privilege escalation attacks are taken on your system.

If you aren't already using Ksplice, why not give it a go? Oracle Linux instances in OCI come preconfigured with Ksplice, and for all other uses, please visit the Ksplice website to learn how to get started in a few minutes.

Join the discussion

Comments ( 2 )

Mark Wednesday, June 24, 2020

For clarity, the uid elevation to run dmesg and journalctl in the last example was accomplished using something besides poc.c/a.out, correct? Could the command giving privilege escalation be shown? Thanks!
Simon Friday, June 26, 2020

Hi Mark,

dmesg/journalctl commands are used just to show that the attempted breach has been logged.
The attempted breach had been tried by executing "a.out".
We're not going to share the code executed to get privilege escalation.

Simon

Recent Content

Oracle