Andrey konovalov Google software engineer, unveiled a method to remotely disable protection from lockdown offered in the Linux kernel supplied in Ubuntu. With which shows that protection methods are ineffective, plus he also mentions that the methods he disclosed theoretically should work with the Fedora kernel and other distributions as well, (but have not been tested).
For those unaware of Lockdown, they should know that it is a component of the Linux kernel that Its main function is to limit the access of the root user in the kernel of the system and this functionality has been moved to the LSM module optionally loaded (Linux Security Module), which establishes a barrier between UID 0 and the kernel, limiting certain low-level functions.
This allows the lockout function to be policy-based rather than hard-coding an implicit policy within the mechanism, so the lock included in the Linux Security Module provides an implementation with a simple policy intended for general use. This policy provides a level of granularity controllable through the kernel command line.
About lockdown
The lock restricts root access to the kernel and blocks UEFI secure boot bypass paths.
For example, in lock mode, access to / dev / mem, / dev / kmem, / dev / port, / proc / kcore, debugfs, debug mode kprobes, mmiotrace, tracefs, BPF, PCMCIA CIS, among others , some interfaces are limited as well as the ACPI and MSR registers of the CPU.
While the kexec_file and kexec_load calls are locked, sleep mode is prohibited, the use of DMA for PCI devices is limited, importing ACPI code from EFI variables is prohibited, and manipulations with input / output ports, including the change the interrupt number and an I / O port for the serial port.
As some may know, the mechanism of lockdown was added in Linux kernel 5.4, but it is still implemented in the form of patches or supplemented by patches on the kernels supplied with the distributions.
Here, one of the differences between the plugins provided in the distributions and the embedded kernel implementation is the ability to disable the lock provided when there is physical access to the system.
Ubuntu and Fedora use the key combination Alt + SysRq + X to disable the lock. It is understood that the combination Alt + SysRq + X it can only be used with physical access to the device and in the event of a remote attack and root access, the attacker will not be able to disable the lock.
Lockdown can be disabled remotely
Andrei Konovalov proved that keyboard-related methods for confirming the physical presence of a user are ineffective.
He disclosed that the easiest way to disable the lock would be to simulate press Alt + SysRq + X through / dev / uinput, but this option is initially blocked.
But at least two more ways to substitute Alt + SysRq + X.
- The first method involves using the interface sysrq-trigger: to simulate, just enable this interface by typing "1" in / proc / sys / kernel / sysrq and then typing "x" in / proc / sysrq-trigger.
This gap was fixed in the December Ubuntu kernel update and in Fedora 31. It is noteworthy that developers, as in the case of / dev / uinput, they initially tried to block this method, but the blocking did not work due to a bug in the code. - The second method is to emulate the keyboard via USB / IP and then send the Alt + SysRq + X sequence from the virtual keyboard.
In the kernel, USB / IP supplied by Ubuntu is enabled by default and the modules usbip_core y vhci_hcd necessary are provided with the required digital signature.
An attacker can create a virtual USB device by running a network controller on the loopback interface and connecting it as a remote USB device using USB / IP.
The specified method has been reported to the Ubuntu developers, but a solution has not been released yet.
Source: https://github.com