Re: Remote exploitation of network scanners?

[Andrew Scott Reisse <areisse () WAM UMD EDU>]

Yes. There are kernel patches that do this kind of stuff. A very nicely
configurable kernel security patch is medusa. I forgot where to get it but
if anyone wants it I have the source. You define rules of what a process
can access in a config file and can make syscalls (like socket()) change
access.

> I just had a funny idea - how about a application preloader or something
> that intercepts syscalls and/or library function calls, and when the time
> comes (configurable), drops privileges?  setuid(nobody) and stuff?
>
> Configurable on a per-application basis, as to just when the time has
> come - e.g. after a socket(), or after a bind(), or something like that..
> Has anybody thought along those lines?  Is there something already out
> there, or should I try to tackle this as an exercise in messing with
> the loader? :)
>
> (And yes, I am aware of the portability problems in intercepting
>  syscalls.. I might just as well give it a try, based on strace, and
>  fbsd's ktrace.. or something..)
>
> G'luck,
> Peter
>
> --
> When you are not looking at it, this sentence is in Spanish.