Skip to content

Latest commit

 

History

History
143 lines (120 loc) · 5.9 KB

README.md

File metadata and controls

143 lines (120 loc) · 5.9 KB

Build and on Linux Enforce clang-format

What is antijack?

antijack was inspired by ttyjack and is its counterpart in some sense, hence the name.

antijack's mission is threefold:

  • demo execution of a program in a way where it cannot inject commands via ioctls TIOCSTI and/or TIOCLINUX into the surrounding controlling terminal, e.g. try antijack ttyjack echo nope.
  • generate and dump a seccomp syscall filter (a BPF program) that blocks ioctls TIOCSTI and TIOCLINUX into a file for use with e.g. bubblewrap a la bwrap --seccomp 3 [..] 3< <(antijack --dump /dev/stdout).
  • demo mitigation at syscall level for Linux leveraging libseccomp. May not be enough!, more on that below.

It should be noted that:

Requirements

  • C99 compiler
  • Linux build and target host
  • glibc ≥ 2.32
  • GNU make
  • libseccomp

How to compile

$ make

Example output (on x86_64)

$ antijack --help
usage: antijack [-v|--verbose] [-o|--dump PATH.bpf] [--] [COMMAND [ARG ..]]
   or: antijack -h|--help

$ antijack -v -- ttyjack echo nope
[*] Initializing libseccomp...
[+]   Done.
[*] Adding rule block TIOCSTI ioctls...
[+]   Done.
[*] Adding rule block TIOCLINUX ioctls...
[+]   Done.
[*] Loading seccomp rules into the kernel...
#
# pseudo filter code start
#
# filter for arch x86_64 (3221225534)
if ($arch == 3221225534)
  # filter for syscall "ioctl" (16) [priority: 65532]
  if ($syscall == 16)
    if ($a1.hi32 & 0x00000000 == 0)
      if ($a1.lo32 & 0xffffffff == 21532)
        action KILL_PROCESS;
      if ($a1.lo32 & 0xffffffff == 21522)
        action KILL_PROCESS;
  # default action
  action ALLOW;
# invalid architecture action
action KILL;
#
# pseudo filter code end
#
[+]   Done.
[*] Releasing libseccomp...
[+]   Done.
[*] Running ttyjack...
Bad system call

$ antijack --dump filter.bpf

$ wc -c < filter.bpf
112

Related CVEs (not mine)


Sebastian Pipping, Berlin, 2023