Giter Site home page Giter Site logo

hartwork / antijack Goto Github PK

View Code? Open in Web Editor NEW
10.0 4.0 0.0 80 KB

:ninja: seccomp-based anti-TTY-hijacking proof-of-concept (prevents TIOCSTI and TIOCLINUX)

License: Apache License 2.0

Makefile 5.65% C 94.35%
ioctl linux security tioclinux tiocsti seccomp seccomp-filter seccomp-filtering seccomp-tools command-injection

antijack's Introduction

Build and on Linux Enforce clang-format

What is antijack?

antijack was inspired by ttyjack and is its counterpart in some sense, hence the name.

antijack's mission is threefold:

  • demo execution of a program in a way where it cannot inject commands via ioctls TIOCSTI and/or TIOCLINUX into the surrounding controlling terminal, e.g. try antijack ttyjack echo nope.
  • generate and dump a seccomp syscall filter (a BPF program) that blocks ioctls TIOCSTI and TIOCLINUX into a file for use with e.g. bubblewrap a la bwrap --seccomp 3 [..] 3< <(antijack --dump /dev/stdout).
  • demo mitigation at syscall level for Linux leveraging libseccomp. May not be enough!, more on that below.

It should be noted that:

Requirements

  • C99 compiler
  • Linux build and target host
  • glibc โ‰ฅ 2.32
  • GNU make
  • libseccomp

How to compile

$ make

Example output (on x86_64)

$ antijack --help
usage: antijack [-v|--verbose] [-o|--dump PATH.bpf] [--] [COMMAND [ARG ..]]
   or: antijack -h|--help

$ antijack -v -- ttyjack echo nope
[*] Initializing libseccomp...
[+]   Done.
[*] Adding rule block TIOCSTI ioctls...
[+]   Done.
[*] Adding rule block TIOCLINUX ioctls...
[+]   Done.
[*] Loading seccomp rules into the kernel...
#
# pseudo filter code start
#
# filter for arch x86_64 (3221225534)
if ($arch == 3221225534)
  # filter for syscall "ioctl" (16) [priority: 65532]
  if ($syscall == 16)
    if ($a1.hi32 & 0x00000000 == 0)
      if ($a1.lo32 & 0xffffffff == 21532)
        action KILL_PROCESS;
      if ($a1.lo32 & 0xffffffff == 21522)
        action KILL_PROCESS;
  # default action
  action ALLOW;
# invalid architecture action
action KILL;
#
# pseudo filter code end
#
[+]   Done.
[*] Releasing libseccomp...
[+]   Done.
[*] Running ttyjack...
Bad system call

$ antijack --dump filter.bpf

$ wc -c < filter.bpf
112

Related CVEs (not mine)


Sebastian Pipping, Berlin, 2023

antijack's People

Contributors

dependabot[bot] avatar hartwork avatar jwilk avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.