Dailydave mailing list archives
The Wonderful Octopus Firewall Troll
From: "Lance M. Havok" <lmh () info-pull com>
Date: Wed, 7 Nov 2007 01:45:14 +0100
Here it comes. Dun dun. It's the firewall troll. With all CISSP experts around the industry, fighting over the dissertation of monsieur Rich Mongol, everyone has forgotten that this very (in Ptacek's own words!) "socket-based firewall" is an innovative piece of flawed copy-pasta. It's common knowledge that generally, all grsecurity copycats, with no exception, suck at stealing spender's touch. Please refer to the grsecurity patch, if you can read C (I know these days it's getting tricky). Hints: +int grsec_socket_all_gid; +int grsec_enable_socket_client; +int grsec_socket_client_gid; +int grsec_enable_socket_server; +int grsec_socket_server_gid; (...) +int +gr_handle_sock_all(const int family, const int type, const int protocol) +{ +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) && + (family != AF_UNIX) && (family != AF_LOCAL)) { + gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol)); + return -EACCES; + } +#endif + return 0; +} (...) +int +gr_handle_sock_server(const struct sockaddr *sck) +{ +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER + if (grsec_enable_socket_server && + in_group_p(grsec_socket_server_gid) && + sck && (sck->sa_family != AF_UNIX) && + (sck->sa_family != AF_LOCAL)) { + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG); + return -EACCES; + } +#endif + return 0; +} (...) +int +gr_handle_sock_server_other(const struct sock *sck) +{ +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER + if (grsec_enable_socket_server && + in_group_p(grsec_socket_server_gid) && + sck && (sck->sk_family != AF_UNIX) && + (sck->sk_family != AF_LOCAL)) { + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG); + return -EACCES; + } +#endif + return 0; +} @@ -1174,6 +1190,16 @@ int retval; struct socket *sock; + if(!gr_search_socket(family, type, protocol)) { + retval = -EACCES; + goto out; + } + + if (gr_handle_sock_all(family, type, protocol)) { + retval = -EACCES; + goto out; + } + retval = sock_create(family, type, protocol, &sock); if (retval < 0) and so on. The power of grsecurity as a backdoor, doesn't rely on grsecurity being the backdoor itself, but because of its code obfuscation, turns every code theft into failure and remote rooting. That's the secret. You can copy it, but you can't copy it right (TM). (See, like Coke, Cuban coke is not Colombian coke and vice versa; one drills a hole in your nose, the other one makes you trip on communism). Therefore, new Apple's operating system, should be named Bang Octopus (like Bang Bus, but with more and bigger tentacles). For more information, please refer to The Oxymoron Encyclopedia: The More you Contradict Yourself: http://www.matasano.com/log/988/excellent-explanation-of-leopards-firewall-behavior/#comments We say 'Aloha' to Bob, Mr. R and friends. God bless those who sleep at night, even when Wordpress powers their wildest hallucinations. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The Wonderful Octopus Firewall Troll Lance M. Havok (Nov 07)