Playing with Linux Kernel Runtime Guard (LKRG)

November 16, 2018 - By Leszek Miś

Step by step for running LKRG protection against suterusu LKM rootkit targeting updated CentOS 7.

If you want to learn more about the project, how things work, etc. I strongly suggest subscribing to the project's mailing list:

https://www.openwall.com/lists/lkrg-users/

# cat /etc/redhat-release

CentOS Linux release 7.4.1708 (Core)

# uname -a
Linux selinux.lab.vm 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

# yum install kernel-devel

# pwd
/root

# wget https://www.openwall.com/lkrg/lkrg-0.5.tar.gz
# tar -zxvf lkrg-0.5.tar.gz
# cd lkrg-0.5
# make

# modinfo p_lkrg.ko
filename: /root/lkrg-0.5/p_lkrg.ko
license: GPL v2
description: pi3's Linux kernel Runtime Guard
author: Adam 'pi3' Zabrocki (http://pi3.com.pl)
retpoline: Y
rhelversion: 7.5
srcversion: 7437FE150EFCECA96B3EEAF
depends:
vermagic: 3.10.0-862.14.4.el7.x86_64 SMP mod_unload modversions
parm: p_init_log_level:Logging level init value [1 (alive) is default] (uint)

# git clone https://github.com/mncoppola/suterusu.git
# cd suterusu
# make linux-x86_64 KDIR=/usr/src/kernels/3.10.0-862.14.4.el7.x86_64/
# insmod suterusu.ko
# gcc sock.c -o sock
# cp socker /tmp/
# cd /root/lkrg-0.5
# insmod p_lkrg.ko
# dmesg | tail
[ 574.326724] [p_lkrg] Loading LKRG...
[ 574.619429] [p_lkrg] LKRG initialized successfully!
[ 589.720682] [p_lkrg] System is clean!
[ 592.223492] [p_lkrg] Unloading LKRG...
[ 592.366212] [p_lkrg] LKRG unloaded!
[ 687.519851] [p_lkrg] Loading LKRG...
[ 687.857611] [p_lkrg] LKRG initialized successfully!
[ 687.880217] [p_lkrg] System is clean!

# su - cr0
$ id
uid=1000(cr0) gid=1000(cr0) groups=1000(cr0)

$ /tmp/sock
Dropping to root shell
Killed

$ dmesg | tail
[ 787.650853] [p_lkrg] <Exploit Detection> Detected pointer swapping attack!process[1175 | sock] has different 'cred' pointer [0xffff8bf70008f480 vs 0xffff8bf70008f540]
[ 787.659309] [p_lkrg] <Exploit Detection> Detected pointer swapping attack!process[1175 | sock] has different 'real_cred' pointer [0xffff8bf70008f480 vs 0xffff8bf70008f540]
[ 787.663917] [p_lkrg] <Exploit Detection> process[1175 | sock] has different UID! 1000 vs 0
[ 787.675209] [p_lkrg] <Exploit Detection> process[1175 | sock] has different EUID! 1000 vs 0
[ 787.682771] [p_lkrg] <Exploit Detection> process[1175 | sock] has different SUID! 1000 vs 0
[ 787.713394] [p_lkrg] <Exploit Detection> process[1175 | sock] has different FSUID! 1000 vs 0
[ 787.715679] [p_lkrg] <Exploit Detection> process[1175 | sock] has different GID! 1000 vs 0
[ 787.719535] [p_lkrg] <Exploit Detection> process[1175 | sock] has different EGID! 1000 vs 0
[ 787.722859] [p_lkrg] <Exploit Detection> process[1175 | sock] has different SGID! 1000 vs 0
[ 787.725855] [p_lkrg] <Exploit Detection> process[1175 | sock] has different FSGID! 1000 vs 0
[ 787.731415] [p_lkrg] <Exploit Detection> Trying to kill process[sock | 1175]!
[ 788.088163] Pausing function hook 0xffffffffc049da50
[ 788.088188] Resuming function hook 0xffffffffc049da50
[ 788.088204] Pausing function hook 0xffffffffc049da50
[ 788.088214] Resuming function hook 0xffffffffc049da50
[ 793.265987] [p_lkrg] ALERT !!! _STEXT MEMORY BLOCK HASH IS DIFFERENT - it is [0x87e3ac7efa28e336] and should be [0x3895cef460d7b282] !!!
[ 793.276114] [p_lkrg] ALERT !!! SYSTEM HAS BEEN COMPROMISED - DETECTED DIFFERENT 1 CHECKSUMS !!!

Cool!

Links:

Categories: