Vulnerability Development mailing list archives
Re: Remote exploitation of network scanners?
From: Andrew Scott Reisse <areisse () WAM UMD EDU>
Date: Sat, 2 Sep 2000 11:44:03 -0400
Yes. There are kernel patches that do this kind of stuff. A very nicely configurable kernel security patch is medusa. I forgot where to get it but if anyone wants it I have the source. You define rules of what a process can access in a config file and can make syscalls (like socket()) change access.
I just had a funny idea - how about a application preloader or something that intercepts syscalls and/or library function calls, and when the time comes (configurable), drops privileges? setuid(nobody) and stuff? Configurable on a per-application basis, as to just when the time has come - e.g. after a socket(), or after a bind(), or something like that.. Has anybody thought along those lines? Is there something already out there, or should I try to tackle this as an exercise in messing with the loader? :) (And yes, I am aware of the portability problems in intercepting syscalls.. I might just as well give it a try, based on strace, and fbsd's ktrace.. or something..) G'luck, Peter -- When you are not looking at it, this sentence is in Spanish.
Current thread:
- Re: Remote exploitation of network scanners? Domenico De Vitto (Sep 01)
- Re: Remote exploitation of network scanners? Bluefish (P.Magnusson) (Sep 01)
- <Possible follow-ups>
- Re: Remote exploitation of network scanners? Peter Pentchev (Sep 02)
- Re: Remote exploitation of network scanners? Andrew Scott Reisse (Sep 02)
- Re: Remote exploitation of network scanners? Peter Pentchev (Sep 02)
- Re: Remote exploitation of network scanners? Andrew Scott Reisse (Sep 02)