Search This Blog
Showing posts with label hardening. Show all posts
Showing posts with label hardening. Show all posts

Tuesday, November 8, 2011

GRSecurity + Java = Killed + Headup = Running App

 When we work with hardened kernels and tools like grsecurity and PaX, we face problems like:

  1. The kernel kills applications.
  2. Some applications can not start.
  3. We can't compile applications.
  4. And many others.....

This problem depends on the security level configured in the kernel. We need to configure and tell the system that some blocked applications are reliable and trusted, this is because some legitimate applications will attempt to generate code at run time which is executed out of memory. PaX does not allow this and will promptly kill the offending application.

The most notable of these applications are XFree/Xorg, mplayer, and multimedia tools based on xine-lib and Java virtual machine.

homero / # java -version
Killed

homero / # uname -a
Linux homero 2.6.27.15-grsec-2.1.12-vs2.3.0.36.4 #11 SMP Fri Mar 25 17:30:38 CST 2011 i686 Intel(R) Xeon(TM) CPU 3.20GHz GenuineIntel GNU/Linux

homero ~ # tail -f /var/log/pax.log 
Aug  8 13:06:23 homero kernel: [7748633.853670] PAX: From X.X.X.X: execution attempt in: , 48f7f000-48fa7000 48f7f000
Aug  8 13:06:23 homero kernel: [7748633.853683] PAX: terminating task: /usr/local/jdk1.6.0_26/bin/java(java):18549, uid/euid: 0/0, PC: 48f7f040, SP: 4b05dddc
Aug  8 13:06:23 homero kernel: [7748633.853695] PAX: bytes at PC: f0 83 04 24 00 8b 44 24 0c c3 00 00 00 00 00 00 00 00 00 00 
Aug  8 13:06:23 homero kernel: [7748633.853718] PAX: bytes at SP-4:

homero bin # pwd
/usr/local/jdk1.6.0_26/bin

To solve this problem we need to work with some PaX utils and applications, such as paxctl and chpax, in order to change the rules of security but only with some applications.
homero bin # emerge pax-utils pax paxctl paxtest -pv
These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R    ] sys-apps/paxctl-0.5  0 kB
[ebuild   R    ] app-misc/pax-utils-0.2.2  USE="caps" 0 kB
[ebuild   R    ] app-arch/pax-3.3.4  0 kB
[ebuild   R   ~] app-admin/paxtest-0.9.9-r2  0 kB

Total: 4 packages (4 reinstalls), Size of downloads: 0 kB

 * IMPORTANT: 4 news items need reading for repository 'gentoo'.
 * Use eselect news to read news items.

First, we need to create the PT_PAX_FLAGS
homero bin # paxctl -C *
file ControlPanel is not a valid ELF executable
file HtmlConverter is not a valid ELF executable
file appletviewer got a new PT_PAX_FLAGS program header
file apt got a new PT_PAX_FLAGS program header
file extcheck got a new PT_PAX_FLAGS program header
file idlj got a new PT_PAX_FLAGS program header
file jar got a new PT_PAX_FLAGS program header
file jarsigner got a new PT_PAX_FLAGS program header
file java got a new PT_PAX_FLAGS program header
file java-rmi.cgi is not a valid ELF executable
file javac got a new PT_PAX_FLAGS program header
file javadoc got a new PT_PAX_FLAGS program header
file javah got a new PT_PAX_FLAGS program header
file javap got a new PT_PAX_FLAGS program header
file javaws got a new PT_PAX_FLAGS program header
file jconsole got a new PT_PAX_FLAGS program header
file jcontrol is not a valid ELF executable
file jdb got a new PT_PAX_FLAGS program header
file jhat got a new PT_PAX_FLAGS program header
file jinfo got a new PT_PAX_FLAGS program header
file jmap got a new PT_PAX_FLAGS program header
file jps got a new PT_PAX_FLAGS program header
file jrunscript got a new PT_PAX_FLAGS program header
file jsadebugd got a new PT_PAX_FLAGS program header
file jstack got a new PT_PAX_FLAGS program header
file jstat got a new PT_PAX_FLAGS program header
file jstatd got a new PT_PAX_FLAGS program header
file jvisualvm is not a valid ELF executable
file keytool got a new PT_PAX_FLAGS program header
file native2ascii got a new PT_PAX_FLAGS program header
file orbd got a new PT_PAX_FLAGS program header
file pack200 got a new PT_PAX_FLAGS program header
file policytool got a new PT_PAX_FLAGS program header
file rmic got a new PT_PAX_FLAGS program header
file rmid got a new PT_PAX_FLAGS program header
file rmiregistry got a new PT_PAX_FLAGS program header
file schemagen got a new PT_PAX_FLAGS program header
file serialver got a new PT_PAX_FLAGS program header
file servertool got a new PT_PAX_FLAGS program header
file tnameserv got a new PT_PAX_FLAGS program header
file unpack200 got a new PT_PAX_FLAGS program header
file wsgen got a new PT_PAX_FLAGS program header
file wsimport got a new PT_PAX_FLAGS program header
file xjc got a new PT_PAX_FLAGS program header

homero bin # paxctl -v java
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team 

- PaX flags: -------x-e-- [java]
    RANDEXEC is disabled
    EMUTRAMP is disabled

The problem is the mprotect flag, because it is enabled.
Name
mprotect - control allowable accesses to a region of memory

Synopsis
#include 
int mprotect(const void *addr, size_t len, int prot);

Description
The function mprotect() specifies the desired protection for the memory page(s) containing part or all of the interval [addr,addr+len-1]. If an access is disallowed by the protection given it, the program receives a SIGSEGV. 

The goal of MPROTECT is to help prevent the introduction of new executable code into the task’s address space. This is accomplished by restricting the mmap() and mprotect() interfaces.

The restrictions prevent:
     - Creating executable anonymous mappings.
     - Creating executable/writable file mappings.
     - Making an executable/read-only file mapping writable except for performing relocations on an ET_DYN ELF file (non-PIC shared library).
     - Making a non-executable mapping executable.

So we need to disable it.
homero bin # paxctl -m *
file ControlPanel is not a valid ELF executable
file HtmlConverter is not a valid ELF executable
file java-rmi.cgi is not a valid ELF executable
file jcontrol is not a valid ELF executable
file jvisualvm is not a valid ELF executable

homero bin # paxctl -v java
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team 

- PaX flags: -----m-x-e-- [java]
    MPROTECT is disabled
    RANDEXEC is disabled
    EMUTRAMP is disabled

homero bin # java -version
java version "1.6.0_26"
Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
Java HotSpot(TM) Client VM (build 20.1-b02, mixed mode)

And now we can run any java application on our hardened system.












at






















Labels:
,
,
,
,






















          

        

          

        

Monday, September 12, 2011


          

        









Hardened environment running GRSecurity and VMWare Server











After a common install of vmware-server...
vm-win ~ # emerge vmware-server -pv

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   Rf  ] app-emulation/vmware-server-2.0.2.203138-r1  0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB
Fetch Restriction: 1 package

 * IMPORTANT: 3 news items need reading for repository 'gentoo'.
 * Use eselect news to read news items.

... our vmware-server cannot start, to solve this problem we need to work with some PaX utils and applications, such as paxctl and chpax, in order to change the rules of security but only with some applications.
vm-win ~ # emerge pax-utils pax paxctl paxtest -pv
These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild   R   ] sys-apps/paxctl-0.5  0 kB
[ebuild   R   ] app-misc/pax-utils-0.2.1  USE="caps" 0 kB
[ebuild   R   ] app-arch/pax-3.3.4  0 kB
[ebuild   R   ] app-admin/paxtest-0.9.9-r1  0 kB

Total: 4 packages (4 reinstalls), Size of downloads: 0 kB

 * IMPORTANT: 4 news items need reading for repository 'gentoo'.
 * Use eselect news to read news items.

Here are some options.
vm-win ~ # chpax --help
chpax 0.7 .::. Manage PaX flags for binaries
Usage: chpax OPTIONS FILE1 FILE2 FILEN ...
  -P	enforce paging based non-executable pages
  -p	do not enforce paging based non-executable pages
  -E	emulate trampolines
  -e	do not emulate trampolines
  -M	restrict mprotect()
  -m	do not restrict mprotect()
  -R	randomize mmap() base [ELF only]
  -r	do not randomize mmap() base [ELF only]
  -X	randomize ET_EXEC base [ELF only]
  -x	do not randomize ET_EXEC base [ELF only]
  -S	enforce segmentation based non-executable pages
  -s	do not enforce segmentation based non-executable pages
  -v	view current flag mask 
  -z	zero flag mask (next flags still apply)

The flags only have effect when running the patched Linux kernel.


vm-win ~ # paxctl -h

PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team 

usage: paxctl 

options:
	-p: disable PAGEEXEC		-P: enable PAGEEXEC
	-e: disable EMUTRMAP		-E: enable EMUTRMAP
	-m: disable MPROTECT		-M: enable MPROTECT
	-r: disable RANDMMAP		-R: enable RANDMMAP
	-x: disable RANDEXEC		-X: enable RANDEXEC
	-s: disable SEGMEXEC		-S: enable SEGMEXEC

	-v: view flags			-z: restore default flags
	-q: suppress error messages	-Q: report flags in short format
	-c: convert PT_GNU_STACK into PT_PAX_FLAGS (see manpage!)
	-C: create PT_PAX_FLAGS (see manpage!)


The next script will change the security policy rules of the vmware-server-2.0.2.
First the config and opts file.
vm-win ~ # cat /etc/conf.d/grsecurity

# /etc/conf.d/grsecurity

CHPAX_CMD="/sbin/chpax"
CHPAX_OPTIONS="-rsm"

PAXCTL_CMD="/sbin/paxctl"
PAXCTL_OPTIONS="-pemrxs"
PAXCTL_OPTIONS_="-z"
PAXCTL_CONVERT="-c"

Then the init script.
vm-win ~ # cat /etc/init.d/grsecurity

#!/sbin/runscript
# Copyright 1999-2010 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $

depend() {
	before vmware
}

start() {
	ebegin "Setting grsecurity rules and options"
	${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/lib/bin/vmware-hostd
	${PAXCTL_CMD} ${PAXCTL_OPTIONS} /opt/vmware/server/lib/bin/vmware-hostd

	${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/bin/vmnet-bridge
	${PAXCTL_CMD} ${PAXCTL_OPTIONS} /opt/vmware/server/bin/vmnet-bridge

	${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/lib/bin/vmware-vmx
	${PAXCTL_CMD} ${PAXCTL_OPTIONS} /opt/vmware/server/lib/bin/vmware-vmx
}

stop(){
	ebegin "Restoring default grsecurity rules and options"
	${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/lib/bin/vmware-hostd
        ${PAXCTL_CMD} ${PAXCTL_OPTIONS_} /opt/vmware/server/lib/bin/vmware-hostd

	${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/bin/vmnet-bridge
        ${PAXCTL_CMD} ${PAXCTL_OPTIONS_} /opt/vmware/server/bin/vmnet-bridge

	${PAXCTL_CMD} ${PAXCTL_CONVERT} /opt/vmware/server/lib/bin/vmware-vmx
        ${PAXCTL_CMD} ${PAXCTL_OPTIONS_} /opt/vmware/server/lib/bin/vmware-vmx
}

restart() {
	stop
	start
}


I know!!!!.... This is an ugly script, but it worked at a "Hardened Gentoo [server] " security level.

┌────────────────────────── Security Level ──────────────────────────┐                                                                  
│  Use the arrow keys to navigate this window or press the hotkey of │                                                                  
│  the item you wish to select followed by the . Press    │                                                                  
│  > for additional information about this option.                 │                                                                  
│ ┌────────────────────────────────────────────────────────────────┐ │                                                                  
│ │           ( ) Low                                              │ │                                                                  
│ │           ( ) Medium                                           │ │                                                                  
│ │           ( ) High                                             │ │                                                                  
│ │           (X) Hardened Gentoo [server]                         │ │                                                                  
│ │           ( ) Hardened Gentoo [server no rbac]                 │ │                                                                  
│ │           ( ) Hardened Gentoo [workstation]                    │ │                                                                  
│ └───────────────v(+)─────────────────────────────────────────────┘ │                                                                  
├────────────────────────────────────────────────────────────────────┤                                                                  
│                                                    │                                                                  
└────────────────────────────────────────────────────────────────────┘                                                                  


Runing kernel

vm-win ~ # uname -a

Linux vm-win 2.6.35-hardened #7 SMP Thu Sep 30 22:13:03 GMT 2010 x86_64 Intel(R) Xeon(R) CPU L5410 @ 2.33GHz GenuineIntel GNU/Linux


And now... all is running correctly.
vm-win ~ # ps ax

  PID TTY      STAT   TIME COMMAND
    1 ?        Ss     0:00 init [3]  

   ..........

 2010 ?        Ss     0:00 /usr/bin/svscan /service
 2038 ?        Ss     0:00 /usr/sbin/cron
 2125 ?        Ss     0:00 /opt/vmware/server/bin/vmnet-bridge -d /var/run/vmnet-bridge-0.pid -n 0 -i eth0
 2404 ?        Ss     0:00 /opt/vmware/server/sbin/vmware-authdlauncher
 2418 ?        S      0:00 /bin/sh /opt/vmware/server/bin/vmware-watchdog -s webAccess -u 30 -q 5 /opt/vmware/server/lib/webAccess/java/jre1.5.0_15/bin/webAccess -client -Xmx64m -XX:MinHeapFreeRatio=30 
 2441 ?        Ssl    0:29 /opt/vmware/server/lib/webAccess/java/jre1.5.0_15/bin/webAccess -client -Xmx64m -XX:MinHeapFreeRatio=30 -XX:MaxHeapFreeRatio=30 -Djava.util.logging.manager=org.apache.juli.Cla
 2523 ?        Ssl    0:21 /opt/vmware/server/lib/bin/vmware-hostd -a -d -u /etc/vmware/hostd/config.xml
 2576 ?        Ssl    9:31 /opt/vmware/server/lib/bin/vmware-vmx -# product=2;name=VMware Server;version=2.0.2;buildnumber=203138;licensename=VMware GSX Server for Linux;licenseversion=3.0 build-203138;
 2642 ?        Ssl    3:34 /opt/vmware/server/lib/bin/vmware-vmx -# product=2;name=VMware Server;version=2.0.2;buildnumber=203138;licensename=VMware GSX Server for Linux;licenseversion=3.0 build-203138;
 2676 ?        Ssl    3:48 /opt/vmware/server/lib/bin/vmware-vmx -# product=2;name=VMware Server;version=2.0.2;buildnumber=203138;licensename=VMware GSX Server for Linux;licenseversion=3.0 build-203138;












at






















Labels:
,
,
,
,

















        

      









Subscribe to:
Posts (Atom)