[ubuntu-hardened] CONFIG_DEVKMEM option and checksec.sh script: Syntax error, root user.
daniel curtis
sidetripping at gmail.com
Mon Aug 29 15:31:46 UTC 2016
Hello
Probably all of you known a 'checksec'[1] - a bash script to check/list the
status of various Linux kernel protection mechanism and the properties of
executables such as RELRO, NoExecute (NX), Stack Canaries, ASLR and PIE
etc. It has been originally written by Tobias Klein.
A couple of days ago I decided to run 'checksec' 1.5 ver., on one of my
testing machine with 12.04 LTS Release. And something strange happened. As
we know by default, the root account password is locked in Ubuntu, right?
This means that user cannot login as root or use the su(1) command etc.
So, I used 'chmod +x' command to make script executable and run 'checksec'
with '--kernel' flag (for testing purposes). Here's the result:
user at test[~]$ ./checksec.sh --kernel
user at test[~]$ sudo ./checksec.sh --kernel
root at test[~]$
Wait, I've become a root user? How it is possible? There is a 'Syntax
error:' during exiting:
root at test[~]$ exit
exit
./checksec.sh: 232: ./checksec.sh: Syntax error: "(" unexpected (expecting
"fi")
It's all happened when there was '/bin/bash' at the beginning instead of
'#!/bin/bash'. I have done a mistake. But it is possible to become a root
user in such situation? It seems that 232. line is responsible for checking
PaX support etc. (see script: # first check for PaX support).
Everything seems to work okay after adding '#!/bin/bash' to the script.
However, checking - for example - '/bin/ls' there is similar syntax error:
user at test[~]$ sudo ./checksec.sh --file /bin/ls
./checksec.sh: 232: ./checksec.sh: Syntax error: "(" unexpected (expecting
"fi")
But it does not apply to my question about becoming a root user on a system
where this account is locked. What do you think about this? This is normal
or not? A lack of '#!/bin/bash' could provide a root access?
One more thing: there is an information about CONFIG_DEVKMEM, which is set
to "n" (according to wiki) on Security/Feature wiki page[2], right? So why
in 12.04 LTS Release this option is not set? I'm just asking...
[~]$ grep CONFIG_DEVKMEM /boot/config-3.2.0-109-generic-pae
# CONFIG_DEVKMEM is not set
Best regards.
_____________
[1] http://www.trapkit.de/tools/checksec.html,
https://github.com/slimm609/checksec.sh
[2] https://wiki.ubuntu.com/Security/Features#dev-kmem
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20160829/5656dd0f/attachment.html>
More information about the ubuntu-hardened
mailing list