Linux Systems Vulnerable to New ‘noexec’ Bypass Technique: Arbitrary Code Execution Now Possible
Security researchers have unveiled a novel technique that allows attackers to bypass the ‘noexec’ flag in Linux systems, potentially enabling the execution of malicious code even on partitions specifically configured to prevent it.
The ‘noexec’ flag is a crucial security measure in Linux, preventing the execution of binary files on designated partitions, such as /tmp or /dev/shm. This restriction is designed to thwart attackers who attempt to upload and execute malware on these commonly targeted areas. However, the newly discovered method circumvents this protection using a clever combination of Perl, Bash, and PHP scripts.
What makes this technique particularly concerning is its ability to execute binaries downloaded directly from the internet, even on partitions with ‘noexec’ enabled. This is achieved by leveraging system calls like memfd_create and execveat to inject shellcode into running processes and load the binary from memory. Furthermore, the method does not require root privileges, making it accessible to a wider range of potential attackers.
Researchers have demonstrated the technique’s effectiveness by showcasing examples where common commands like id are executed without root access, even on ‘noexec’ partitions. More alarmingly, they have shown how attackers could use this method to download and execute malicious payloads from remote servers using simple commands.
A Perl example demonstrates how the ‘id’ command can be executed without root privileges:
In Bash, this can be achieved similarly:
The educated reader understands that this is mostly used to pipe a backdoor from the Internet directly into memory, even when execution is prohibited by noexec:
The method effectively bypasses command execution restrictions in PHP through similar scripts, representing a significant vulnerability for systems relying on such restrictions to guard against malicious code.
Researchers continue to analyze this technique and its potential implications for Linux system security, emphasizing the importance of implementing additional safeguards to prevent the use of this method in real-world attacks. It is also recommended to monitor access to system calls and restrict their use, particularly in environments with heightened security requirements.
Related Posts:
- New Linux Variant of DPRK-Attributed FASTCash Malware Discovered
- New Skidmap Rootkit Variant Targets Enterprise Linux Servers via Redis Vulnerabilities
- Snapekit Rootkit Unveiled: A Stealthy Threat Targeting Arch Linux
- Linux Servers Under Siege: “Perfctl” Malware Evades Detection for Years
- CVE-2024-26808: PoC Exploit Shows Local Privilege Escalation Risk in Linux
