Project

General

Profile

Actions

Bug #5762

closed

detect/pcre: JIT not disabled when OS doesn't allow RWX pages

Added by IDSTower Support about 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

On Ubuntu 22.04.1 LTS, if you configure Suricata systemd service file with the following security hardening settings "MemoryDenyWriteExecute=true" the suricata Service will crash with a segmentation fault once the PCRE engine is triggerd to compile a PCRE found in a rule using JIT.

to reproduce this issue please follow these steps:

  1. install suricata 6.0.9 from ppa:oisf/suricata-stable on Ubuntu 22.04.1 LTS
  2. configure suricata to listen to the interface
  3. configure suricata with the following rule
    alert ip any any -> any any (msg:"crash test"; content:"test"; pcre:"/^[^\r\n]+\.(?:t(?:ar|gz)|exe|zip)/Ri"; classtype:bad-unknown; sid:1;)
    
  4. use the following systemd file to run suricata service, place it in: /lib/systemd/system/suricata.service
    # IDSTower Suricata systemd unit file.
    [Unit]
    Description=IDSTower Suricata Service
    After=syslog.target network-online.target systemd-tmpfiles-setup.service
    Documentation=man:suricata(1)
    
    [Service]
    ExecStartPre=/bin/rm -f /etc/suricata/suricata.pid
    ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /etc/suricata/suricata.pid --af-packet -vvv
    ExecReload=/bin/kill -USR2 $MAINPID
    
    ### Security Settings ###
    MemoryDenyWriteExecute=true
    LockPersonality=true
    ProtectControlGroups=true
    ProtectKernelModules=true
    
    [Install]
    WantedBy=multi-user.target
    

Note: this is the same systemd service file avaiable in Suricata Redhat/CentOS RPMs

#create a txt file named trigger.txt containing the word test on another machine

user@idstowerubuntu22:~$ cat trigger.txt
test

#start a simple python server to serve trigger.txt and curl it from the suricata machine
python -m http.server

curl -X GET http://192.168.3.242:8000/trigger.txt

#Suricata service will crash

running: sudo dmesg -T


Files

clipboard-202212161717-jb7ce.png (109 KB) clipboard-202212161717-jb7ce.png IDSTower Support, 12/16/2022 01:17 PM
clipboard-202212161717-tkewq.png (80.7 KB) clipboard-202212161717-tkewq.png IDSTower Support, 12/16/2022 01:17 PM
Actions #1

Updated by Victor Julien about 2 years ago

  • Subject changed from Suricata On Ubuntu dose not disable PCRE JIT when OS doesn't allow RWX pages to detect/pcre: JIT not disabled when OS doesn't allow RWX pages
  • Status changed from New to In Progress
  • Assignee changed from OISF Dev to Victor Julien
  • Target version changed from TBD to 6.0.10
Actions #2

Updated by Victor Julien about 2 years ago

  • Status changed from In Progress to In Review
Actions

Also available in: Atom PDF