The article below was written about 3 years ago. In the mean while few guys with having much more knowledge than me stated that the behaviour was indeed odd but unlikely a breakin attempt.
The following syslog entry (full compressed syslog file is here) complains about a denied RWX mmap operation
Nov 6 13:29:27 tor-relay kernel: grsec: From 22.214.171.124: denied RWX mmap of
The ip address 126.96.36.199 belongs to the hoster Lease Web. grsecurity usually logs the ip address from that (remote) system from where a user was logged in (if the command was issued by the user). The Tor server was rebooted at 2th of November 11:21 am (wtmp-20141108.log). The Boinc client is started however automatically after boot. Therefore no ip address from a remote hoster should appear in a log message related to the Boinc process.
The mail of LeaseWeb
just ended with: "We have closed this ticket."
The CEP2 answer in its email:
"The ip address mentioned here is not associated with The Clean Energy Project".
The boinc client was not subscribed to work on CEP2 tasks. The subscribed WCG projects at the time of 6th November were: UGM, MCM and F@H. However it was granted to work on unsubscribed WCG projects, if otherwise no task to work on a would be available. An entry of the boinc log:
06-Nov-2014 13:32:32 [World Community Grid] No tasks are available for the applications you have selected
RWX is forbidden by
grsecurity. This is part of the
Gentoo linux kernel.
It follows an extract of a discussion at the IRC channel made at
#grsecurity at 4th of Dec related to RWX mmap operations.
[19:57] <xxxxxxxx> which as a result of the connection tried to do the forbidden mapping [19:58] <xxxxxxxx> the reason why it was forbidden seem to be because the application tried to map a memory area with RWX persmission which is totally forbidden by grsec [19:58] <xxxxxxxx> you can either RW or RX but not RWX [19:59] <xxxxxxxx> so this is clearly a bug in /var/lib/boinc/projects/secure.worldcommunitygrid.org/wcgrid_cep2_7.00_i686-pc-linux-gnu [20:00] <xxxxxxxx> if you grep the source code of this program for calls to "mmap", you should find one of them request RWX permissions [20:00] <xxxxxxxx> so in the end it probably means this program never worked as expected on a grsecurity box [20:00] <xxxxxxxx> unless mprotect has been disabled of course [20:04] <xxxxxxxx> if you want to make those programs run anyway, you can disable mprotect on those binaries [20:05] <xxxxxxxx> but you have to carefully think about the implications [20:06] <xxxxxxxx> for example, if your program has a vulnerability, one could easily mmap some memory area as RWX, put shellcode there, and then jump to the start of the memory area [20:06] <xxxxxxxx> when you have mprotect enabled, the scenario I just mentioned would be harder to exploit [20:07] <xxxxxxxx> (not impossible though) [20:07] <xxxxxxxx> but you don't want attackers to exploit your vulns that easily [20:22] <xxxxxxxx> it's weird that's it's doing a RWX mapping [20:22] <xxxxxxxx> hopefully it's just a mistake from the dev [20:23] <xxxxxxxx> some app really need RWX mappings, such as flash player, java, some virtualization software etc [20:23] <xxxxxxxx> because in the end all those software are just allocating a big memory area, put some code there and execute it [20:24] <xxxxxxxx> I don't know much about boinc but there seem to be no valid reason for this mapping with all permissions
The content of the directory "/var/lib/boinc/projects/secure.worldcommunitygrid.org/"
is archived in: swo.tbz2 (183 MB).
And here is the involved CEP2 executable just itself.
The Boinc developers stated in this thread their position to RWX. Here is the answer from WCG related to the RWX mapping itself.
How big are the chances for no coincidence of all subscribed WCG queues being empty, the RWX mmap and the remote ip 188.8.131.52 ?
I appreciate any help in further investigations.
back to my home page