Abstract: Many processes running as services need privileges and often run as root. Some of them downgrade their privileges or run as other users however this is (contrary to popular belief) uncommon. In addition, some processes may not downgrade their privileges sufficiently and if exploited the attacker has far more room to pivot. The way to heavily mitigate this is with Mandatory Access Controls such as SELinux or GRSecurity’s RSBAC. This will make each process need specific permissions for each resource. There will be a discussion how to configure SELinux for the least amount of pain in addition to some other hardening mechanisms. We will discuss some advantages of MAC systems in virtualization and also discuss (since this is blackhat) how to behave as an attacker when dealing with hardened Linux systems and what to expect.

SELinux is not very difficult to administer however many admins are afraid of it. Some distros come with it by default, including some android implementations. However, because permissions can be done with SELiunx using the MAC system and therefore the Discressionary Access Controls are not necessary, if it is disabled the administrator opens up many opportunities for post-exploitation as the maintainers do not have much of a reason to configure the services to run as non root users.

With PaX we can actually prevent remote code execution and mitigate many impacts of exploitation and in many instances prevent exploits. We will show tested exploits failing with PaX. We will show PaX “”catching”” the attacker.

There will be demos preventing exploitation of vulnerable binaries. PaX will also be demonstrated to show the ease/annoyance of DoS. Not knowing about this can be dangerous. We will be using some new exploits such as CVE-2013-1763 in Linux 3.3-3.8 (the recent privilege escalation exploit) and show how the hardening can prevent exploitation and/or render the privilege escalation useless.

Back to Circle City Con 2014 Videos list