openSUSE ASLR + -fpic -pie

English Install/Boot/Login
1

Hi,

Just wanted to ask if the precompiled packages that come with openSUSE are compiled with -fPIC -PIE, since I’ve read that ASLR doesn’t do much good if those compile options aren’t passed to gcc. The reason I ask this is that I want to patch the upcoming openSUSE kernel with grsecurity+PaX to hopefully make it harder for remote exploits to work. Since my openSUSE 11.4 stock installation was cracked within two weeks after installation and root/user passwords were separate and not the easiest to passwords one could think, I don’t want to take any chances this time.

If someone knows the default compile flags used in openSUSE and are the -fPIC -pie compile options really necessary to make PaX ASLR/randomize_va_space to work I would really appreciate further information.

Thanks,
axls

2

On 11/12/2011 03:16 PM, axls wrote:

> Since my openSUSE 11.4 stock installation was cracked within two weeks
> after installation … I don’t want to take any chances this time.

-=WELCOME=- new poster, but i must admit i am astounded!!!

why? because i’ve run default installed SuSE, SUSE and openSUSE since
9.1 or so and never been cracked (of course, i wasn’t ever cracked on
Fedora, Red Hat, Mandrake [and others] before that either)…

and, once cracked then what have you run since?? did you clean install
openSUSE again, or what? were you again cracked, or what?

> If someone knows the default compile flags used in openSUSE and are the
> -fPIC -pie compile options really necessary to make PaX
> ASLR/randomize_va_space to work I would really appreciate further
> information.

sorry, i can’t address that question (don’t have a clue)…except to
say you can (of course) compile all the bits and pieces with whatever
switches you wish…


DD
openSUSE®, the “German Automobiles” of operating systems

3

On 2011-11-12 15:16, axls wrote:

> Since my openSUSE 11.4 stock installation was cracked within two weeks
> after installation and root/user passwords were separate and not the
> easiest to passwords one could think, I don’t want to take any chances
> this time.

I’m sure the chaps on the security mail list will be interested to hear of
that.

> If someone knows the default compile flags used in openSUSE and are the
> -fPIC -pie compile options really necessary to make PaX
> ASLR/randomize_va_space to work I would really appreciate further
> information.

You would have to ask the devs or packagers, and they don’t read the
forums. You could try in that mail list.

Or, download the sources and inspect the .spec files they used.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

4

On Sat, 12 Nov 2011 14:16:03 +0000, axls wrote:

> Since my openSUSE 11.4 stock installation was cracked within two weeks
> after installation and root/user passwords were separate and not the
> easiest to passwords one could think, I don’t want to take any chances
> this time.

I’m not sure that it follows that the reason this happened was because of
compile-time options used for the packages. What leads you to that
conclusion?

I’ve been running openSUSE and SUSE Professional since version 9.1 and
SLES 9 and 10 on systems exposed to the outside world and haven’t had an
exploit used like the one you describe.

You might look into enabling Apparmor on your setup as well, and ensure
that the firewall is configured properly.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

5

Since my openSUSE 11.4 stock installation was cracked within two weeks after installation and root/user passwords were separate and not the easiest to passwords one could think, I don’t want to take any chances this time.

I think you need to be more concerned about your own system security, than worrying about how the openSUSE RPMs are compiled. Maybe consider installing rkhunter (or similar) too.

6

>and, once cracked then what have you run since?? did you clean install
>openSUSE again, or what? were you again cracked, or what?

what happened was that I was running DC client with normal user privileges (don’t remember if that was Jucy + SUN jre or linuxdcpp) and ktorrent overnight . When I returned to my computer the next morning to shutdown the computer I wondered why the hdd led was burning so long, panicked and pushed the reboot button to hard reset the system.

What I found after rebooting and logging in was that my entire home folder was moved. I mean moved not deleted and single zero byte was written to the root filesystem. The file was named “success”. After that I reinstalled openSUSE 11.4 with default settings with network cable unplugged. Again, I didn’t touch anything - I don’t even know how to configure AppArmor and I really don’t even want to do that, just use the system - except installing some multimedia packages from Packman so AppArmor was running with default settings. The only listening ports were the RPC port and some other port that were open by default. I created new passwords again with mixed characters/number. the root password was 15 chars long.

After a while of running that, when I booted my system I wondered how on earth the boot took so much time so I changed to tty1 to see more than the boot logo. The last message from some modified init script was something like “waiting for none…”. In short the system couldn’t boot because it was cracked again and the init scripts were modified (probably using the same security hole). I could however boot into failsafe environment just fine but couldn’t trust Linux anymore ( which was a shame since openSUSE offered by far the best desktop experience I’ve ever had with Linux). So I installed PC-BSD to hopefully thwart the attacks (maybe the hacker didn’t know that system so well) and awaited for the next openSUSE release while searching for various ways to harden my system.

This shouldn’t come as so much of a surprise to you after what happened to Sony and kernel.org IMO, but thanks for the advice, I’ll try my luck on the security mailing list. At this time I guess if I ever wan’t to use linux again as my only system since I don’t normally dual-boot is to use the PaX+grsecurity patches against the vanilla kernel and cross my fingers.

7

I did use rkhunter. It never found anything wrong with my configuration. Besides to be sure I’d have to run it from a safe environment such as some usb stick with rkhunter -propd and store its database on the stick with network cable unplugged. I guess that could fail since after updates the filesystem is modified and I have to run the propd again. If an attacker has come come in after I update and modified someting the database will be updated and marked by rkhunter as clean when I run rkhuter -propd again, I guess it is possible that rkhunter doesn’t detect it?

8

Your post contains some contradictions in itself

Am 13.11.2011 09:36, schrieb axls:
> The only listening ports
> were the RPC port and some other port that were open by default.
By default NO listening port is open in openSUSE, whatever was open you
opened it not some default

> So I installed PC-BSD to hopefully thwart the
A very good system, used it myself for a while as dual boot with
openSUSE, if you are satisfied with it why not stick to it?

> while searching for various ways to harden
> my system.

But you do not want to get into apparmor which is de facto hardening?
while searching, did you search the security guide?
http://doc.opensuse.org/products/opensuse/openSUSE/opensuse-security/


PC: oS 11.4 (dual boot 12.1) 64 bit | Intel Core i7-2600@3.40GHz | KDE
4.6.0 | GeForce GT 420 | 16GB Ram
Eee PC 1201n: oS 11.4 64 bit | Intel Atom 330@1.60GHz | KDE 4.7.3 |
nVidia ION | 3GB Ram

9

If you install openSUSE with the stock configuration you’ll quickly find that at least one ( the other might have been my self-enabled ntpd) port is open in stock configuration. You can verify that by installing 11.4 with stock configuration and use ntop or say grc.com to test this. 12.1 has all ports stealthed by default. Do you think that is a mere incident?

As far as PC-BSD goes, I was running 8.2 version up until in the middle of browsing internet with firefox + flash enabled, KDE informed that the system is going for shutdown immediately and I wasn’t even running a single root login!!! so there went my assumption the FreeBSD would be any safer to use.
the kern.securelevel that FreeBSD uses is nice since it can even restrict root processes’ permissions, but even at kern.securelevel=1 the X server won’t start since that securelevel prevents root processes from accessing /dev/mem amongst others.

No, this cracker isn’t the average “Joe - I just read 'Cracking Unix systems for idiots - Cracker” that will happily enter your Kippo honeypot system and scratches his head when all the rootkits he’s wgetting keep disappearing. I just can’t trust the stock kernel. I strongly suspect that AppArmor is able to stop him and I want to use openSUSE because that is the only system usability wise that I’ve been satisfied with ( besides FreeBSD/PC-BSD still doesn’t support all my HW) and I really don’t want to go the MS road ever again.

Maybe someone in the security mailing list knows if the -fPIC -pie options are used by default or if PaX+grsecurity are that good to begin with. If they aren’t and proper ASLR + all additional security “features” are missing I guess hardened Gentoo is one choice, but I really don’t want to compile every binary from sources

10

On 11/13/2011 09:36 AM, axls wrote:
> I was running DC client

you will have to excuse me but i am not familiar with that application
“DC client”…

does it have another name?

where did you get it? from which openSUSE repo? or if not from openSUSE,
please give the exact URL where you fetched it…

and how did you install it…

please tell us more about “DC client” because it sure sounds (to me)
like you were not cracked, but rather you opened the door wide and
invited whoever you were “direct connecting” with to walk right in and
help themselves to your system…

and, what were downloading/fetching/sharing while you ‘direct connected’?

and by the way, my 11.4 was default installed with all ports stealthed,
as was 11.3 and 10.3 and 10.2 and 9.3 and 9.2 . . .


DD http://gplus.to/DenverD
openSUSE®, the “German Automobiles” of operating systems

11

On 2011-11-13 09:36, axls wrote:

> What I found after rebooting and logging in was that my entire home
> folder was moved. I mean moved not deleted

Moved where?

> and single zero byte was
> written to the root filesystem. The file was named “success”.

That file is used by YaST to mark sucesful installation.

> After that
> I reinstalled openSUSE 11.4 with default settings with network cable
> unplugged.

If the network is removed there is no way at all you could be cracked.

> After a while of running that, when I booted my system I wondered how
> on earth the boot took so much time so I changed to tty1 to see more
> than the boot logo. The last message from some modified init script

Modified how? Did you compare it?

> was
> something like “waiting for none…”.

I think that is a known problem.

> In short the system couldn’t boot
> because it was cracked again

Cracked with no cable?

MAGICK!

> and the init scripts were modified
> (probably using the same security hole).

Modified? What was modified? I hope you compared it.

You haven’t proved anything.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

12

The first time I installed openSUSE I use Jucy Direct Connect client from it’s own homepage. I was running in passive mode so I didn’t have to shoot the firewall down.
The second time I used only ktorrent that was again run for several hours.

> Moved where?

Maybe nowhere? as I said I hard reseted the system since the HDD led had been burning already for something like 10 secs and openSUSE had never done that before so I was alarmed. I rebooted to discover that /home/user didn’t exist so I assumed someone had done a dd if=/dev/zero of=/dev/sdX or something similar to my home partition. After Installing PC-BSD to run photorec I checked back and booted normally to my openSUSE installation only to find that everything was back as before. It might have been an ext4 bug, or something, but it shouldn’t make a whole partition unreadable? and for your information I had never even touched /etc/fstab

> That file is used by YaST to mark sucesful installation.

Sorry. I’m new to openSUSE and didn’t know that. I didn’t come here to start a flame war. I was seriously worried that my system was cracked

> If the network is removed there is no way at all you could be cracked.

That is why I installed it with network cable unplugged the second time. To prevent anyone unauthorized to access the system before it was properly installed and I could run the ‘rkhunter -propd’ safely

> Modified how? Did you compare it?

I’m a desktop user, not a sysadmin. To what would I compare it to? I don’t have my whole filesystem mirrored to another disk or remote server so I can run checksums to check if every file on my disks are valid as they should. I would be very pleased if openSUSE offered an online check that could be run against every installation’s filesystem using MD5 or whatever. That is with a stock installation of openSUSE. So far nobody offers that kind of possibility and if someone want’s to tweak their system they shouldn’t be using that kind of a method (even if that existed).

> I think that is a known problem.

I didn’t know that either. Sorry again, I just don’t have the time to read every forum and mailing list. I just expect the system to work and boot even after applying updates that come from a trusted source, openSUSE.

> Cracked with no cable?

> MAGICK!

I obviously connected the cable after installing openSUSE and running the aforementioned rkhunter. After all I (obviously) didn’t install openSUSE to play mahjongg.

> You haven’t proved anything.

I didn’t come here to prove anything for crying out loud!!! If you read my first post I was asking about how to harden my system and what gcc flags openSUSE uses. This is a user support forum and somehow I had the false assumption that someone would actually respond with some respect towards a user that suspects all his personal data has been thrown to internet and give assistance to an inexperienced user who just wants to use his computer safely (part of the reason I chose Linux in the first place!). If i’d known the success file’s meaning and the “known problem” I obviously wouldn’t have been alarmed. If i have somehow hurted your “feelings” please accept my apology. Sincerely.

13

Hi
You can inspect any of the file build options on Open Build Service;
There are two places to look, the project config and the spec file;

For example openSUSE:Factory (look at optflags);
https://build.opensuse.org/project/prjconf?project=openSUSE%3AFactory

and then for example the spec file for the kernel-default;
https://build.opensuse.org/package/view_file?file=kernel-default.spec&package=kernel-source&project=openSUSE%3AFactory&srcmd5=b89be00940b95ae8606a08b71bc722f6


Cheers Malcolm °¿° (Linux Counter #276890)
openSUSE 11.4 (x86_64) Kernel 2.6.37.6-0.7-desktop
up 4 days 19:50, 3 users, load average: 0.15, 0.10, 0.40
GPU GeForce 8600 GTS Silent - Driver Version: 285.05.09

14

If my first answer sounded somehow rude, I am sorry. What I wanted to
point at was: There is documentation in place about improved security
(the guide I pointed to for example). Second, what you missed is that
openSUSE is mainly based on apparmor for security (of course beside all
the usual things like activated firewall and a careful user behavior).

apparmor, selinux and grsecurity are all methods to secure a system,
which you do not apply in parallel but one of that without the others,
putting them together would be a mess since the techniques used by that
three approaches are different and results most probably in something
which cannot work at all.
Every distro somehow has their own choice on which kind of default
hardening it is based.
There are comparisons of this different approaches to security of course
but I am myself when I read them under the impression that it is mostly
a matter of taste.
Here is an example
http://www.cyberciti.biz/tips/selinux-vs-apparmor-vs-grsecurity.html

I use linux (mostly SuSE later openSUSE) since 1995 (there was a break
in the earlier days of about 2 years between 1997 and 1999 where I did
not use linux) for almost 11 years now not longer as a hobby but as
productive system on several machines.
Being myself mainly a user not a professional admin I could never find
myself in a situation you describe. I think others have a similar
experience and that makes at least me suspect that the cause of your
trouble is simply something else and not that you where hacked.

An incompatibility with your hardware - a simple misunderstanding of
what you see or think you see and how you interpret it - a bad behavior
of the journaling file system after your forced power off, the
possibilities are endless.

You got a good pointer if you are concerned to ask the security mailing
list where the expert people are who know every bit of how the system is
put together know. It is fair enough to ask there in addition.

Most of us are users not developers and some of us know also details
about the intrinsics of the system but we are not the developers which
in doubt can give an authoritative answer.

A part of the information you can find here (I do not know how well this
wiki page is updated)
http://en.opensuse.org/openSUSE:Security_Features

15

On 11/13/2011 06:36 PM, axls wrote:
> Jucy Direct Connect client

it is your system, and your data, so you are free to do as you wish with
it, but i’ll tell you that that application violates these security
‘rules’ of mine:

-download only signed software from known trusted sources

-never install anything provided in a zip file (‘real’ linux folks don’t
distro in a zip)

-never install anything with an *.ini file

-never connect to networks operated by known thieves (somehow they so
often turn out to be untrustworthy)

if you also follow those ‘rules’ you won’t need to do that ASLR thing
you asked about…(or, at least i can say that following those and other
common sense security precautions has me still smiling…ymmv)

on the other hand, from your expanded description of what happened i’m
not so sure you were actually ‘cracked’…i think more likely confused…


DD http://gplus.to/DenverD
openSUSE®, the “German Automobiles” of operating systems

16

Dear axls,

It seems that you are realy concerned about what you think that is going on on your system and sincerely try to get help here. Now try to read the whole thread again and take it easy. What do you think the impression people here got from your first post to begin with. You are talking about compile options for generating the software in the packages for openSUSE in general. Not something that I, and I guess many others here, are expecting from somebody stating “I’m a desktop user” later. Also for many of us you seem to jump to a conclusion without realy researching in depth what the several “strange things” you found mean. Part of that searching could be: Asking here. The simple question: " I found the zero length file success in my root directory after install, is that normal?" would have given you a solution in a nick of time. But people here see with amazing that you, without having any doubt, interprete this as one of the results of your system being cracked. Some people migh come to the conclusion you are lightly paranoic. And your other “strange things” are probably (some for certain) in the same catogory: that jus just normal or you must have inflicted this yourself.

Some people here even are afraid that your unsupported claim that openSUSE in particular and Linux in general is very vulnarable to crackers by default, might bad for Linux’s reputation.

Nevertheless, I read that several people above try to help you in a way to let you identify one by one the “strange things” in such a way that they can be analysed. Thus we and you can come to a conlusion which ones are normal, harmless or dangerous. That is how IT problems are to be handled: systematic, trying to understand and not revert to that old human habit: jumping to conclusions.

That means that for every one of the statements you make, they will ask for evidence. E.g. when you say your home directory is moved, then tell us more about how you came to that conclusion and preferably show this with things like

ls -l /home

and the same for the place where it moved to. And when you say you do not know where it moved, how can you then state that it is moved. I would in that case state that is is removed/deleted. Mind your words. People here are like computers, they do not understand what you mean to say, they understand what you say.

Please, do not take our words as if you are not welcome here. You are. But keep in mind that all the people here are openSUSE users like you. They try to help in their spare time. Their only reward being that sometimes people are helped and post something like: “Thank you for your help, it worked!”.
Keep in mind that people do not know you nor your knowledge base or experience. They have to assess it from what you say, starting with your first post. They can guess wrong. That can be because of wording used in posts, because of English not being the first language of one or more of the posters, because of complete misunderstandings. We are all away from each other over the globe in time and space and nothing is in fact “logical” in such a conversation.

I guess that if you are willing to post now one by one your concerns with your system, many good advices will be brought forward.

Wishing you success with openSUSE

17

On 2011-11-13 18:36, axls wrote:

>> Modified how? Did you compare it?
>
> I’m a desktop user, not a sysadmin. To what would I compare it to? I
> don’t have my whole filesystem mirrored to another disk or remote server
> so I can run checksums to check if every file on my disks are valid as
> they should. I would be very pleased if openSUSE offered an online check
> that could be run against every installation’s filesystem using MD5 or
> whatever. That is with a stock installation of openSUSE. So far nobody
> offers that kind of possibility and if someone want’s to tweak their
> system they shouldn’t be using that kind of a method (even if that
> existed).

There are tools for doing that kind of thing.

Rpm can check modified files in the installation, but you will not trust it
because it is internal. There is another, tripwire, with an external
database, but you have to prepare it yourself.

You may want to look at these:

tripwire
aide ++
saint
nessus -> openvas
http://www.rootkit.nl

>> You haven’t proved anything.
>
> I didn’t come here to prove anything for crying out loud!!! If you read
> my first post I was asking about how to harden my system and what gcc
> flags openSUSE uses. This is a user support forum and somehow I had the
> false assumption that someone would actually respond with some respect
> towards a user that suspects all his personal data has been thrown to
> internet and give assistance to an inexperienced user who just wants to
> use his computer safely (part of the reason I chose Linux in the first
> place!). If i’d known the success file’s meaning and the “known problem”
> I obviously wouldn’t have been alarmed. If i have somehow hurted your
> “feelings” please accept my apology. Sincerely.

We answer with respect.

I think you overreacted. You may have been hacked, but you show no proof,
it is not possible to investigate what had been broken, or if it had. I
think you took normal behaviour or bugs for cracks.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

18

On 2011-11-13 19:10, Martin Helm wrote:
> You got a good pointer if you are concerned to ask the security mailing
> list where the expert people are who know every bit of how the system is
> put together know. It is fair enough to ask there in addition.

But they will want proofs, no impressions, to determine where the hole is.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

19

Am 13.11.2011 19:53, schrieb Carlos E. R.:
> On 2011-11-13 19:10, Martin Helm wrote:
>> You got a good pointer if you are concerned to ask the security mailing
>> list where the expert people are who know every bit of how the system is
>> put together know. It is fair enough to ask there in addition.
>
> But they will want proofs, no impressions, to determine where the hole is.
>
And they will tell the person who asks what kind of evidence they want
so that is not a problem.


PC: oS 11.4 (dual boot 12.1) 64 bit | Intel Core i7-2600@3.40GHz | KDE
4.6.0 | GeForce GT 420 | 16GB Ram
Eee PC 1201n: oS 11.4 64 bit | Intel Atom 330@1.60GHz | KDE 4.7.3 |
nVidia ION | 3GB Ram

20

On Sun, 13 Nov 2011 17:36:03 +0000, axls wrote:

> If you read my first post I was asking about how to harden my system and
> what gcc flags openSUSE uses.

Nobody’s trying to be rude to you - but you should understand that you’ve
jumped to a conclusion that it must be something to do with how the
packages are built rather than starting with “here’s what happened, how
do I determine what’s happened so I can fix it?”

It’s like going to the doctor with a headache and starting with the
assumption that you have a brain tumor. You’ve picked what is undoubtably
the most unlikely scenario and assumed that that must be what’s caused
your issue.

Your situation is the first I’ve ever heard of this particular path to
exploit - and I’ve been using Linux successfully for well over a decade.

That’s why I asked the questions I did, and undoubtedly why others are
asking similar questions.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C