Oracle EM GRID CONTROL报
Category Security
Description Ensure that the OS configuration parameter, which enables execution of code on the user stack, is not enabled
官方文档:
Oracle® Enterprise Manager Policy Reference Manual 10g Release 5 (10.2.0.5) 5.2 Security Policies
http://docs.oracle.com/cd/B19306_01/em.102/b16231/host.htm#sthref1357
---------------------------------------------------------------------------- 华丽的分隔线 -----------------------------------------------------------------------------------------
PAE Physical_Address_Extension
http://en.wikipedia.org/wiki/Physical_Address_Extension
这是操作系统上扩展内存的,32位的系统理论最大支持4G,使用PAE就可以打破4G,64位最大支持一般因操作系统版本,有的支持上T的内存
当然也需要CPU芯片的支持
NX bit
http://en.wikipedia.org/wiki/NX_bit
而oracle认为在32位系统上开启此特性会造成安全问题,容易造成space overflow被一些malicious software利用,比方 可以在linux 模拟突破C++的虚拟指针--C++程序的缓冲区溢出攻击
policy默认级别critical
扩展阅读:《内核漏洞的利用与防范》: http://book.51cto.com/art/201203/324044.htm
Security breaches occur in many forms, but one of the most common methods is to monitor the system-provided administrative tools, look for, and exploit buffer overflows. Buffer overflow attacks occur when an internal program buffer is overwritten because data was not properly validated (such as command line, environmental variable, disk or terminal I/O). Attack code is inserted into a running process through the buffer overflow, changing the execution path of the running process. The return address is overwritten and redirected to the inserted-code location. Common causes of breaches include improper or nonexistent bounds checking, or incorrect assumptions about the validity of data sources. For example, a buffer overflow can occur when a data object is large enough to hold 1 KB of data, but the program does not check the bounds of the input and hence can be made to copy more than 1 KB into that data object.
The intruder's goal is to attack a command and/or tool that provides root privileges to a regular user. Control of the program is gained with all the privileges enabled, permitting overflow of the buffers. Attacks are typically focused on a root owned UID set or programs leading to the execution of a shell, thereby gaining root-based shell access to the system.
You can prevent these attacks by blocking execution of attack code entering through the buffer overflow. Disable execution on the memory areas of a process where execution commonly does not take place (stack and heap memory areas).
execstack -- program to query or set executable stack flag
-c, --clear-execstack Clear executable stack flag bit
-q, --query Query executable stack flag bit
-s, --set-execstack Set executable stack flag bit
-?, --help Give this help list
--usage Give a short usage message
-V, --version Print program version
Category Security
Description Ensure that the OS configuration parameter, which enables execution of code on the user stack, is not enabled
官方文档:
Oracle® Enterprise Manager Policy Reference Manual 10g Release 5 (10.2.0.5) 5.2 Security Policies
http://docs.oracle.com/cd/B19306_01/em.102/b16231/host.htm#sthref1357
5.2 Security Policies
The security policies for the Host target are:
5.2.1 Execute Stack
This policy ensures that the Operating System configuration parameter, which enables execution of code on the user stack, is not enabled.
The following table lists the policy's main properties.
| Severity | Category | Target Type | Versions Affected | Policy Rule EvaluationFoot 1 | Automatically Enabled? | Alert Message |
|---|---|---|---|---|---|---|
| Warning | Security | Host | All UNIX-Based Operating Systems | The underlying metric is executeStackRep which has a collection frequency of once every 24 hours. | Yes | The host is in an insecure state. Executable code on the user stack is enabled. |
The policy rule is evaluated each time its underlying metric is collected.
Parameters and Their Default Values
None
Objects Excluded by Default
Not Applicable
Enabling code execution on the user stack may allow a malicious user to exploit stack buffer overflows. Overflows can cause portions of a system to fail, or even execute arbitrary code.
Disable code execution on the user stack.
---------------------------------------------------------------------------- 华丽的分隔线 -----------------------------------------------------------------------------------------
相关连接:
http://en.wikipedia.org/wiki/Physical_Address_Extension
这是操作系统上扩展内存的,32位的系统理论最大支持4G,使用PAE就可以打破4G,64位最大支持一般因操作系统版本,有的支持上T的内存
当然也需要CPU芯片的支持
NX bit
http://en.wikipedia.org/wiki/NX_bit
而oracle认为在32位系统上开启此特性会造成安全问题,容易造成space overflow被一些malicious software利用,比方 可以在linux 模拟突破C++的虚拟指针--C++程序的缓冲区溢出攻击
policy默认级别critical
扩展阅读:《内核漏洞的利用与防范》: http://book.51cto.com/art/201203/324044.htm
AIX官方有对这个解释
http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.security/doc/security/stack_exec_disable.htm
There is increasing likelihood of computer systems falling prey to sophisticated attacks, resulting in disruption to the daily operations of businesses and government agencies. While no security measure can provide foolproof protection against attacks, you should deploy multiple security mechanisms to thwart security attacks. This section covers a security mechanism that is used with AIX® to thwart attacks due to buffer overflow based execution.Security breaches occur in many forms, but one of the most common methods is to monitor the system-provided administrative tools, look for, and exploit buffer overflows. Buffer overflow attacks occur when an internal program buffer is overwritten because data was not properly validated (such as command line, environmental variable, disk or terminal I/O). Attack code is inserted into a running process through the buffer overflow, changing the execution path of the running process. The return address is overwritten and redirected to the inserted-code location. Common causes of breaches include improper or nonexistent bounds checking, or incorrect assumptions about the validity of data sources. For example, a buffer overflow can occur when a data object is large enough to hold 1 KB of data, but the program does not check the bounds of the input and hence can be made to copy more than 1 KB into that data object.
The intruder's goal is to attack a command and/or tool that provides root privileges to a regular user. Control of the program is gained with all the privileges enabled, permitting overflow of the buffers. Attacks are typically focused on a root owned UID set or programs leading to the execution of a shell, thereby gaining root-based shell access to the system.
You can prevent these attacks by blocking execution of attack code entering through the buffer overflow. Disable execution on the memory areas of a process where execution commonly does not take place (stack and heap memory areas).
解决方法:
1. 打non executable patch2. 就是对于自己熟悉的share lib或者shell用execstack进行静态的绑定,避免其占用overflow的exec stack以及 heap memory areas
execstack的使用方法,http://linux.die.net/man/8/execstack
execstack -- program to query or set executable stack flag
-c, --clear-execstack Clear executable stack flag bit
-q, --query Query executable stack flag bit
-s, --set-execstack Set executable stack flag bit
-?, --help Give this help list
--usage Give a short usage message
-V, --version Print program version
扫一扫
613
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
