an unusual behavior


Update (August 2017):

The article below was written about 3 years ago. In the mean while few guys with having much more knowledge than me stated that the behaviour was indeed odd but unlikely a breakin attempt.

situation

The following syslog entry (full compressed syslog file is here) complains about a denied RWX mmap operation

Nov 6 13:29:27 tor-relay kernel: grsec: From 5.79.67.47: denied RWX mmap of by /var/lib/boinc/projects/secure.worldcommunitygrid.org/wcgrid_cep2_7.00_i686-pc-linux-gnu[wcgrid_cep2_7.0:16210] uid/euid:102/102 gid/egid:119/119, parent /var/lib/boinc/projects/secure.worldcommunitygrid.org/wcgrid_cep2_7.00_i686-pc-linux-gnu[wcgrid_cep2_7.0:16209] uid/euid:102/102 gid/egid:119/119

at 6th of November 2014 at the Tor relay. The ip address 5.79.67.47 is not known. The executable "wcgrid_cep2_7.00_i686-pc-linux-gnu" was called by the the Boinc client (volunteers around the world can donate their CPU resources to the so-called "grid computing", a virtual super computer). In this case the The Clean Energy Project: Phase 2 (CEP2), a subproject of the World Community Grid (WCG), is the creator of the executable. But the Boinc client was not explicitely granted to work at CEP2 tasks.

in detail

the ip address

The ip address 5.79.67.47 belongs to the hoster Lease Web. grsecurity usually logs the ip address from that (remote) system from where a user was logged in (if the command was issued by the user). The Tor server was rebooted at 2th of November 11:21 am (wtmp-20141108.log). The Boinc client is started however automatically after boot. Therefore no ip address from a remote hoster should appear in a log message related to the Boinc process.

The mail of LeaseWeb just ended with: "We have closed this ticket." The CEP2 answer in its email: "The ip address mentioned here is not associated with The Clean Energy Project".

all work queues of subscribed WCG projects were empty

The boinc client was not subscribed to work on CEP2 tasks. The subscribed WCG projects at the time of 6th November were: UGM, MCM and F@H. However it was granted to work on unsubscribed WCG projects, if otherwise no task to work on a would be available. An entry of the boinc log:

06-Nov-2014 13:32:32 [World Community Grid] No tasks are available for the applications you have selected

states this. And this triggered the Boinc client to download the CEP2 executable to run a task of CEP2.

the RWX mmap

RWX is forbidden by grsecurity. This is part of the hardened Gentoo linux kernel. It follows an extract of a discussion at the IRC channel made at #grsecurity at 4th of Dec related to RWX mmap operations.

	
		[19:57] <xxxxxxxx> which as a result of the connection tried to do the forbidden mapping
		[19:58] <xxxxxxxx> the reason why it was forbidden seem to be because the application tried to map a memory area with RWX persmission which is totally forbidden by grsec
		[19:58] <xxxxxxxx> you can either RW or RX but not RWX
		[19:59] <xxxxxxxx> so this is clearly a bug in /var/lib/boinc/projects/secure.worldcommunitygrid.org/wcgrid_cep2_7.00_i686-pc-linux-gnu
		
		[20:00] <xxxxxxxx> if you grep the source code of this program for calls to "mmap", you should find one of them request RWX permissions
		[20:00] <xxxxxxxx> so in the end it probably means this program never worked as expected on a grsecurity box
		[20:00] <xxxxxxxx> unless mprotect has been disabled of course
		
		[20:04] <xxxxxxxx> if you want to make those programs run anyway, you can disable mprotect on those binaries
		[20:05] <xxxxxxxx> but you have to carefully think about the implications
		[20:06] <xxxxxxxx> for example, if your program has a vulnerability, one could easily mmap some memory area as RWX, put shellcode there, and then jump to the start of the memory area
		[20:06] <xxxxxxxx> when you have mprotect enabled, the scenario I just mentioned would be harder to exploit
		[20:07] <xxxxxxxx> (not impossible though)
		[20:07] <xxxxxxxx> but you don't want attackers to exploit your vulns that easily
		
		[20:22] <xxxxxxxx> it's weird that's it's doing a RWX mapping
		[20:22] <xxxxxxxx> hopefully it's just a mistake from the dev
		
		[20:23] <xxxxxxxx> some app really need RWX mappings, such as flash player, java, some virtualization software etc
		[20:23] <xxxxxxxx> because in the end all those software are just allocating a big memory area, put some code there and execute it
		[20:24] <xxxxxxxx> I don't know much about boinc but there seem to be no valid reason for this mapping with all permissions
	

The content of the directory "/var/lib/boinc/projects/secure.worldcommunitygrid.org/" is archived in: swo.tbz2 (183 MB). And here is the involved CEP2 executable just itself.
The Boinc developers stated in this thread their position to RWX. Here is the answer from WCG related to the RWX mapping itself.

?

How big are the chances for no coincidence of all subscribed WCG queues being empty, the RWX mmap and the remote ip 5.79.67.47 ?
I appreciate any help in further investigations.


back to my home page