[jonoberheide]

Yeah, mempodroid is a great example. You'd need to randomize the location of the setuid executable (w/PIE), randomize of the linker, and implement something like GRKERNSEC_BRUTE to prevent trivial local bruteforcing of a usable address.

Speaking of which, spender's recent blog post gives a good overview of some of the grsec/PaX mitigations that would hamper the exploitation of the /proc/pid/mem vuln:

http://forums.grsecurity.net/viewtopic.php?f=7&t=2939

[saurik]

Interesting... it never occurred to me that brute forcing an address was feasible enough to bother with. ;P (edit: Although, thinking more, some exploits have a more constrained range of addresses. That said, even here we have a 2-3GB area, but could probably expand the target to "any instruction executed between these points", which might be as much as a kilobyte; requiring just a few million attempts isn't that unreasonable.)

Looking at GRKERNSEC_BRUTE, however, it would not affect this exploit: it is designed to penalize the parent for forking exploitable children (so as, for example, to keep new copies of Apache from coming into existence rapidly enough for them to be remotely exploited); however, here we are assumed to have control of the parent, so we can just add a layer of indirection, never reusing direct parents.

[jonoberheide]

GRKERNSEC_BRUTE will also trigger for suid binaries (in the case of memprodroid, run-as). See gr_handle_brute_attach() for details.

[saurik]

Ah, (for anyone caring enough to read this discussion) apparently the actual code in the patch (which was more complex than listed here [1]) doesn't just ban processes (as with control of the parent we really do have the ability to bypass the process check, as again: we can just keep making replacement exploit containers), but also bans entire user accounts that are causing suspicious memory accesses.

[1] http://xorl.wordpress.com/2010/11/09/grkernsec_brute-exploit...