Developers behind the hardenedlinux.org project have released a new toolkit, 'userland-exec,' capable of executing arbitrary ELF binaries on Linux systems despite active kernel-level security mitigations.
The toolkit, which includes a proof-of-concept (PoC) for remote code execution (RCE), bypasses filesystem-based security controls such as 'noexec' mount options and Mandatory Access Control (MAC) systems like SELinux and AppArmor.
By performing the execution process entirely within userspace, the toolkit avoids the kernel's execution path. This prevents the kernel from ever seeing an 'execve(2)' system call, leaving security monitors and audit logs unaware of the new process.
Bypassing kernel enforcement
Traditional Linux hardening relies on the kernel to enforce restrictions when a new process starts. The 'userland-exec' approach instead parses the target ELF header and maps program segments directly into the current process's address space using 'mmap' or 'memfd_create'.
'Once arbitrary code execution is achieved inside a process, filesystem-based and execve-centric controls become largely theater,' the developers stated in their documentation.
The toolkit also includes a mechanism to bypass 'W^X' (Write XOR Execute) protections. It uses a specialized signal handler to temporarily flip memory permissions from 'PROT_EXEC' to 'PROT_WRITE' during the loading process, then restores the original permissions to avoid detection.
To demonstrate the vulnerability, the developers released an 'rce_demo' featuring a vulnerable TCP server. The demo uses a format-string leak and a stack buffer overflow to hijack control flow and execute a payload.
The toolkit supports two primary execution modes: 'disk mode,' which writes the payload to a file, and 'memfd mode,' which uses 'memfd_create' to run the payload entirely in memory. The latter mode leaves zero footprint on the physical disk, making the attack significantly harder for forensic tools to detect.
Because the toolkit replaces the existing process image in place, system monitoring tools like 'ps' or 'top' continue to display the original, legitimate process name and context. This allows the unauthorized code to run under the guise of a trusted service.
