Security Incidents mailing list archives
Re: Suspicious files in /tmp
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Tue, 19 Jun 2007 09:00:48 +0200 (CEST)
On Mon, 18 Jun 2007, Matt D. Harris wrote:
A lot of times in an exploit scenario, you don't have access to stdin.
Why not? If you can call execve, you can go for sh -c 'echo "foo()" | perl -' instead of calling perl interpreter directly. Or use pipe() + fork().
While the script could still be feasibly passed on the command line, this is a much greater restriction and would shut down a number of existing exploits.
*Existing* exploits usually have little to do with invoking perl - and unless you're fearing local account attacks (unlikely on a firewall?), little to do with creating executable files in /tmp. All it takes to stop most of common exploits is to disallow /bin/sh invoked with stream socket stdin or *id/e*id discrepancies. If you want to defend yourself against off-the-shelf attacks, perl restrictions and noexec are of probably of least use; and if you want to defend yourself against clever, targeted attacks - very much the same... /mz ------------------------------------------------------------------------- This list sponsored by: SPI Dynamics ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E --------------------------------------------------------------------------
Current thread:
- Suspicious files in /tmp kladizkov.thehome (Jun 18)
- Re: Suspicious files in /tmp Matt D. Harris (Jun 18)
- Re: Suspicious files in /tmp Michal Zalewski (Jun 19)
- Re: Suspicious files in /tmp Matt D. Harris (Jun 19)
- Re: Suspicious files in /tmp Michal Zalewski (Jun 19)
- Message not available
- Re: Suspicious files in /tmp Michal Zalewski (Jun 20)
- Re: Suspicious files in /tmp Michal Zalewski (Jun 19)
- Re: Suspicious files in /tmp Matt D. Harris (Jun 18)
- Re: Suspicious files in /tmp Rainer Duffner (Jun 19)
- Re: Suspicious files in /tmp Rainer Duffner (Jun 19)
- Re: Suspicious files in /tmp Robin Sheat (Jun 19)
- Re: Suspicious files in /tmp Valdis . Kletnieks (Jun 20)
- RE: Suspicious files in /tmp Thyago Braga da Silva (Jun 21)
- RE: Suspicious files in /tmp kaneda (Jun 21)
- Re: Suspicious files in /tmp Eduardo Tongson (Jun 22)
- Re: Suspicious files in /tmp Cy Schubert (Jun 21)