shc compiled not protected anymore with Linux kernel >= 4.2 about shc HOT 19 OPEN

just checked with "shc -H -f script.sh -o whatever" it's protected it does not leak... just try again with '-H' or '-U' ...
If you have further issue, please post the complete steps you are doing

No, it is not a good option for "positional parameters", please add this feature as soon as possible @intika

from shc.

@TJokiel solved here https://github.com/Intika-Linux-Apps/SHC-Hardening/tree/master i don't know if this will be merged

from shc.

I can confirm this.

The mitigation is that cmdline only shows the first bytes of the script so you can add a lot of junk at the beginning to hide your code.
However, for what I've read, somebody can change the size of the cmdline contents by changing the kernel source code, recompiling it and executing the script.

from shc.

Has this bug been fixed yet?

from shc.

@Yokai-Seishinkage No... when it's fixed, this issue will be closed

from shc.

I am in kernel 4.4.0 and just checked it:

$ cat >test.sh
#! /bin/bash

#

while true
do
sleep 10
done
$ shc -U -f test.sh
$ sudo ./test.sh.x &
[3] 23741
$ cat /proc/23741/cmdline
sudo./test.sh.x

If you don't use the -U flag, then the cmdline will expose the script.

-U stands for Untraceable (The -T option was reversed and renamed to -U from shc-3.9.1)

from shc.

I am using debian 9 (stretch) and kernel 4.9

I followed the above procedure to compile a simple script with -U and -f
When i run the script using sudo the code is indeed hidden.

However when i run it as a simple user without sudo the code is revealed

./test.sh.x &
cat /proc/30064/cmdline
./test.sh.x-c                                                                                                                                                                                                                                                                                                                          #!/bin/bash

#

while true
do
sleep 10
done

I also tested switching to user root with sudo su and then run it without sudo and it revealed as well.

Is this a known standing bug? Should I compile with other options?

from shc.

im on 4.4.0-97-generic, ubuntu 16.04
summary:

• as normal user, cant run binary after adding -U , premission denied.
• as sudo, the script is hidden.
• as sudo su, the script is NOT hidden

$ ./shc -U -f abc.sh
$ ./abc.sh.x
./abc.sh.x: Operation not permitted
Killed

$ sudo ./abc.sh.x &
[1] 804
$ cat /proc/804/cmdline
sudo./abc.sh.x -----> hidden, fine.

$ sudo su
#./abc.sh.x &
[1] 841
#cat /proc/841/cmdline
./abc.sh.x-c

#! /bin/bash ------> not hidden.
while true
do
sleep 10
done

from shc.

This should be fixed in the last commit ... you need to use -H (Hardening) flag

from shc.

'cat /proc/[pid]/cmdline' issue is covered in latest shc version but still you could reveal all script code with simple 'ps auxww' command even if you use the '-H' flag.

from shc.

are you sure about that 'ps auxww' ? i can not get the script revealed with that.

from shc.

Yes. i'm running the script as root and this is 'ps auxww' output:

root 9109 0.0 0.0 4348 804 pts/4 S 22:38 0:00 ./test.sh.x
root 9110 0.0 0.0 4348 88 pts/4 S 22:38 0:00 ./test.sh.x
root 9111 0.0 0.0 11372 2932 pts/4 S 22:38 0:00 sh -c #! /bin/bash while true do sleep 10 done
root 10286 0.0 0.0 6004 816 pts/4 S 22:38 0:00 sleep 10
root 10521 0.0 0.0 13000 2420 pts/4 R+ 22:38 0:00 ps aux

from shc.

Indeed, confirmed i will look at this when i have the time, nice finding by the way !

from shc.

i opened an issue about it here #69

from shc.

issue still exists in original version and in "solved" version
"https://github.com/Intika-Linux-Apps/SHC-Hardening/tree/master"
ps aux|grep script.sh.c.x shows code.
I'm on Linux 4.4.0-138-generic x86_64

from shc.

@felix303 with the solved version with what parameter did you built your sh script ?

from shc.

just checked with "shc -H -f script.sh -o whatever" it's protected it does not leak... just try again with '-H' or '-U' ...
If you have further issue, please post the complete steps you are doing

from shc.

Also this have been merged (i don't know if it's on release but it's merged... )

from shc.

It worked with "-H" !!! Thanks @intika

from shc.