A recent discovery in the Linux ecosystem has unveiled a method to bypass the ‘noexec’ mount flag, enabling malicious code execution on systems that were previously thought to be secure.
This vulnerability exploits a combination of Linux system calls and process memory manipulation to execute binaries without touching the file system, a technique known as fileless execution.
The ‘noexec’ mount flag is a security feature designed to prevent the execution of binaries on specific file systems, such as temporary file systems (tmpfs) like `/dev/shm`.
However, researchers have found a way to circumvent this restriction by leveraging the `memfd_create` system call and modifying process memory through `/proc/self/mem`.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)
Linux System ‘noexec’ Mount Flag Bypass
1. Creating a Memory-Backed File Descriptor: The `memfd_create` system call is used to create a file descriptor that refers to a file entirely in RAM, bypassing the need for persistent storage.
2. Modifying Process Memory: The `/proc/self/mem` interface is used to write arbitrary shellcode to the process memory.
This shellcode is then executed by overwriting the Instruction Pointer, ensuring that when the CPU resumes execution, the malicious code is run instead of the original process code.
3. Executing the Binary: The shellcode creates a memory-backed file descriptor using `memfd_create`, copies the binary from stdin to this descriptor, and then uses `execveat` to execute the binary stored in the memory file descriptor.
This technique is particularly concerning because it can be executed in environments where traditional execution methods are restricted, such as in read-only file systems or when the ‘noexec’ mount flag is enforced.
Additionally, it leaves no trace on the file system, making it a challenging threat to detect and mitigate.
The researchers have also demonstrated that similar exploits can be achieved using Perl and PHP, highlighting the versatility of this attack vector.
The Perl variant is particularly noteworthy as it does not require shellcode or access to `/proc/self/mem`, making it effective even in containerized environments.
To prevent such attacks, it is crucial to restrict access to `memfd_create` and other sensitive system calls, and to implement additional security measures such as SELinux or GRSecurity, which can limit the capabilities of malicious processes.
This discovery underscores the ongoing cat-and-mouse game between security researchers and malicious actors, emphasizing the need for continuous vigilance and innovation in cybersecurity.
As the threat landscape evolves, it is essential for system administrators and security professionals to stay informed and adapt their defenses accordingly.
Strategies to Protect Websites & APIs from Malware Attack => Free Webinar