The Wonderful Octopus Firewall Troll

["Lance M. Havok" <lmh () info-pull com>]

Here it comes. Dun dun. It's the firewall troll.

With all CISSP experts around the industry, fighting over the
dissertation of monsieur Rich Mongol, everyone has forgotten that this
very (in Ptacek's own words!) "socket-based firewall" is an innovative
piece of flawed copy-pasta.

It's common knowledge that generally, all grsecurity copycats, with no
exception, suck at stealing spender's touch. Please refer to the
grsecurity patch, if you can read C (I know these days it's getting
tricky).

Hints:

+int grsec_socket_all_gid;
+int grsec_enable_socket_client;
+int grsec_socket_client_gid;
+int grsec_enable_socket_server;
+int grsec_socket_server_gid;

(...)

+int
+gr_handle_sock_all(const int family, const int type, const int protocol)
+{
+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
+       if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
+           (family != AF_UNIX) && (family != AF_LOCAL)) {
+               gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family,
gr_socktype_to_name(type), gr_proto_to_name(protocol));
+               return -EACCES;
+       }
+#endif
+       return 0;
+}

(...)

+int
+gr_handle_sock_server(const struct sockaddr *sck)
+{
+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
+       if (grsec_enable_socket_server &&
+           in_group_p(grsec_socket_server_gid) &&
+           sck && (sck->sa_family != AF_UNIX) &&
+           (sck->sa_family != AF_LOCAL)) {
+               gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
+               return -EACCES;
+       }
+#endif
+       return 0;
+}

(...)

+int
+gr_handle_sock_server_other(const struct sock *sck)
+{
+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
+       if (grsec_enable_socket_server &&
+           in_group_p(grsec_socket_server_gid) &&
+           sck && (sck->sk_family != AF_UNIX) &&
+           (sck->sk_family != AF_LOCAL)) {
+               gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
+               return -EACCES;
+       }
+#endif
+       return 0;
+}

@@ -1174,6 +1190,16 @@
        int retval;
        struct socket *sock;

+       if(!gr_search_socket(family, type, protocol)) {
+               retval = -EACCES;
+               goto out;
+       }
+
+       if (gr_handle_sock_all(family, type, protocol)) {
+               retval = -EACCES;
+               goto out;
+       }
+
        retval = sock_create(family, type, protocol, &sock);
        if (retval < 0)

and so on.

The power of grsecurity as a backdoor, doesn't rely on grsecurity
being the backdoor itself, but because of its code obfuscation, turns
every code theft into failure and remote rooting. That's the secret.
You can copy it, but you can't copy it right (TM). (See, like Coke,
Cuban coke is not Colombian coke and vice versa; one drills a hole in
your nose, the other one makes you trip on communism).

Therefore, new Apple's operating system, should be named Bang Octopus
(like Bang Bus, but with more and bigger tentacles).

For more information, please refer to The Oxymoron Encyclopedia: The
More you Contradict Yourself:

http://www.matasano.com/log/988/excellent-explanation-of-leopards-firewall-behavior/#comments

We say 'Aloha' to Bob, Mr. R and friends. God bless those who sleep at
night, even when Wordpress powers their wildest hallucinations.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave