Stealthy RCE on Hardened Linux: Noexec and Userland Execution PoC(hardenedlinux.org)
6 pointsby hardenedlinux5 hours ago3 comments
  • juancn4 hours ago
    It's nothing revolutionary, essentially change your own process for another binary, but for this you need to take over the process in the first place which is usually the hard part.

    It's mildly interesting that they didn't call exec() and parse the elf manually, but that's about it.

    • nyrikki3 hours ago
      > Run services in the tightest possible DAC/MAC sandbox with minimal caps.

      That is what os dangerous, especially with containers where people run with the container root with elevated privileges.

      With ollama, llama.cpp, and many other often agent containers that will run arbitrary code, and are running with the ability to bypass MACs, plus the fact that vfs and IPC isn’t really namespaces away it is complicated.

      When you can’t even convince popular funded projects to add ‘USER foo’ to a dockerfile, this method is trivial.

      If you looked into the state of lsms and how every complicated or difficult project is basically unconstrained it should be concerning.

      ~15 lines of c and ld_preload gets you privileged user namespaces on Debian based systems because of busybox as an example, which is a required package yet privileged in apparmor

      • yjftsjthsd-h2 hours ago
        What does this look like in practice? You mean you can go from root inside docker to running things outside the container? How exactly?
    • tosti2 hours ago
      This is how exploits always work and nothing new at all. It's like having barrier tape around a construction site as a warning when someone holds it up and says "Ha, I can still get in!"
  • takipsizad4 hours ago
    This article sounds extremely robotic and AI generated.
  • tux34 hours ago
    I'm getting a little tired of blog posts that are just raw, unedited ChatGPT output, chief.

    If you have arbitrary code execution, you can execute more arbitrary code on disk without calling exec. Better yet if you care about stealth is to not touch the disk at all, and keep everything in memory, downloading your next stage from a server directly into RAM.