[CentOS] an actual hacked machine, in a preserved state

Tue Jan 3 04:01:46 UTC 2012
RILINDO FOSTER <rilindo at me.com>

On Jan 2, 2012, at 9:37 PM, Bennett Haselton wrote:

> On 1/2/2012 9:18 AM, Les Mikesell wrote:
>> There have been many, many vulnerabilities that permit local user
>> privilege escalation to root (in the kernel, glibc, suid programs,
>> etc.) and there are probably many we still don't know about.  They
>> often require writing to the filesystem. For example, one fixed around
>> 5.4 just required the ability to make a symlink somewhere.   The
>> published exploit script (which I've seen in the wild) tries to use
>> /tmp.  If the httpd process can't write in /tmp, it would fail.
>> 
> 
> So are you saying that SELinux is supposed to prevent httpd from writing 
> to /tmp ?
> 
> Because I just tested that and SELinux didn't appear to stop it.  I set 
> selinux to "enforcing", rebooted just to make sure, and put this perl 
> script on my webserver:
> 
> #!/usr/bin/perl
> use IO::File;
> use strict;
> my $fh = IO::File->new("> /tmp/foo.txt");
> close($fh);
> print "Content-type: text/html\n\nDone.\n";
> 
> then invoked it from the web, and this file was created:
> [root at g6950-21025 ~]# ls -l /tmp/foo.txt
> -rw-r--r-- 1 apache apache 0 Jan  2 16:47 /tmp/foo.txt
> 
> [root at g6950-21025 ~]# cat /etc/selinux/config
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> #       enforcing - SELinux security policy is enforced.
> #       permissive - SELinux prints warnings instead of enforcing.
> #       disabled - SELinux is fully disabled.
> SELINUX=enforcing
> # SELINUXTYPE= type of policy in use. Possible values are:
> #       targeted - Only targeted network daemons are protected.
> #       strict - Full SELinux protection.
> SELINUXTYPE=targeted
> 
> 
Actually, SELinux needs to let http write to tmp, otherwise scripts such as those written in PHP will fail.

What it WON'T do is to let scripts execute from that directory. You have to explicitly enabled it with:

setsebool -P httpd_tmp_exec on

So yes, it would have prevented attackers from launching exploit scripts in /tmp. Of course, mounting /tmp as not executable would work the same, but that requires that /tmp be a separate files system, which may not an option if the server is already partitioned.*

 - Rilindo

*It could work if you use --bind option. But I can't confirm that, unfortunately.