From: Daniel Souza <thehazard@gmail.com>
To: linux-os@analogic.com
Cc: Arjan van de Ven <arjan@infradead.org>,
Igor Shmukler <igor.shmukler@gmail.com>,
linux-kernel@vger.kernel.org
Subject: Re: intercepting syscalls
Date: Fri, 15 Apr 2005 14:00:36 -0700 [thread overview]
Message-ID: <e1e1d5f4050415140062b04954@mail.gmail.com> (raw)
In-Reply-To: <Pine.LNX.4.61.0504151628210.662@chaos.analogic.com>
Yes, this can be done by overwriting libc calls or patching httpd
process at runtime to overwrite open() at libc address map, and get
open() calls trapped just for apache. BUT, let's figure a scenario: GD
has a buffer overflow bug that when it tries to get the size of a
existing malformed image (that can be uploaded by any user at web
app), it segfaults. It's a exploitable bug, and a attacker sucessfully
exploit it, binding a shell. Shellcodes don't make use of libc calls.
Instead, they use direct asm calls to trigger system calls that they
need to use (execve(), dup() for example of a connect-back shellcode).
Your method will not trigger that exploitation, but a kernel-level
wrapper will see that "/bin/sh" got executed by httpd, what is...
unacceptable. Yes, I can patch the whole libc and expect when the
attacker issue any "ls -la" that WILL be triggered by your patched
libc wrapper. But I dont like userland patches like that (in fact, I
prefer to avoid libc hackings like that). Imagine a libc wrapper that
inside a read(), it makes a syslog() or anything to log... a simple
strace will catch it up.
Returning to the topic context... the kernel sees everything. Libc
just accept that and live with, as a wife =) I prefer to be the
husband one...
--
# (perl -e "while (1) { print "\x90"; }") | dd of=/dev/evil
next prev parent reply other threads:[~2005-04-15 21:00 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-15 18:04 intercepting syscalls Igor Shmukler
2005-04-15 18:11 ` Arjan van de Ven
2005-04-15 19:41 ` Igor Shmukler
2005-04-15 19:51 ` Daniel Souza
2005-04-15 19:59 ` Igor Shmukler
2005-04-15 20:10 ` Daniel Souza
2005-04-15 20:13 ` Arjan van de Ven
2005-04-15 20:19 ` Daniel Souza
2005-04-15 20:25 ` Chris Wright
2005-04-15 20:38 ` Richard B. Johnson
2005-04-15 21:00 ` Daniel Souza [this message]
2005-04-15 20:55 ` Steven Rostedt
2005-04-18 11:54 ` Rik van Riel
2005-04-18 14:48 ` Igor Shmukler
2005-04-18 14:59 ` Arjan van de Ven
2005-04-18 15:06 ` Igor Shmukler
2005-04-18 15:20 ` Arjan van de Ven
2005-04-18 18:56 ` Terje Malmedal
2005-04-18 19:19 ` Timur Tabi
2005-04-18 19:40 ` Arjan van de Ven
2005-04-19 8:32 ` Terje Malmedal
2005-04-18 15:17 ` Randy.Dunlap
2005-04-18 16:20 ` Igor Shmukler
2005-04-18 16:26 ` Christoph Hellwig
2005-04-15 20:03 ` Randy.Dunlap
2005-04-15 18:12 ` Chris Wright
2005-04-15 18:16 ` Timur Tabi
2005-04-15 19:27 ` Zan Lynx
2005-04-15 20:25 ` Petr Baudis
[not found] <3TDqB-32g-21@gated-at.bofh.it>
[not found] ` <3TDAk-38r-23@gated-at.bofh.it>
[not found] ` <3TEZl-4eW-23@gated-at.bofh.it>
[not found] ` <3TF9b-4lu-25@gated-at.bofh.it>
[not found] ` <3TFiG-4Cc-11@gated-at.bofh.it>
[not found] ` <3TFsj-4HP-3@gated-at.bofh.it>
[not found] ` <3TFsl-4HP-17@gated-at.bofh.it>
[not found] ` <3TFC7-4Og-29@gated-at.bofh.it>
[not found] ` <3TFVm-50J-5@gated-at.bofh.it>
2005-04-15 23:05 ` Bodo Eggert <harvested.in.lkml@posting.7eggert.dyndns.org>
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e1e1d5f4050415140062b04954@mail.gmail.com \
--to=thehazard@gmail.com \
--cc=arjan@infradead.org \
--cc=igor.shmukler@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-os@analogic.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox