- A safety inspection in Linux allows rootcopes to bypass and run secretly bypassing the enterprise security solutions
- It was found in the IO_URANL interface
- Researchers built a POC, which is now available on Github
ARMO’s cyber security researchers recently discovered a safety inspection in Linux, which allows the rootkits to bypass the enterprise security solutions and run secretly at the affected endpoint.
The oversight is because the ‘IO_URING’ kernel interface is being ignored by the safety monitoring devices. Made as a fast, more efficient way to talk to storage devices for Linux systems, Io_uring helps modern computers to handle a lot of information without any knowledge. It was introduced back with the release of Linux 5.1 in 2019.
Apparently, most safety equipment looks for shady sySCalls and ignore anything related to IO_URing by completely hook. Since the interface supports multiple operations through 61 OPS types, it creates a dangerous blindspot that can be exploited for malicious purposes. Among other things, supported operations include reed/rights, creating and creating network connections, modifying file permissions, and more.
According to bleepingcomputer, the risk is so great that Google discontinued it by default in both Android and Chromos, which use Linux kernels.
Second growth
To demonstrate the defect, Armo created a proof-off-concept (POC) rootkit called “Curring”. It can pull the instructions from a remote server and run arbitrary command without triggering the syscall hook. He then tested it against the popular runtime safety devices, and determined that most of them could not detect it.
Researchers claim that Falco was completely oblivious to treatment, while Tetragon could not flag it under the default configuration. However, the latter gods told the researchers that they do not consider the forum to be unsafe because surveillance can be enabled to detect the rootkit.
“We reported this to the Tetragon team and their response was that the tetragon is not” weak “from his point of view because they originally provide flexibility to hooks anywhere,” he said. “He indicated a good blog post that he wrote about the subject.”
Armo also said that he tested the equipment against anonymous commercial programs and confirmed that IO_URing-Abusing Malware was not being detected. Curing is now available for free on Github.
Through BlappingCopper
