Vulnerability Development mailing list archives
Thwarting /bin/bash, an anti-overflow concept ?
From: Alex Schütz <antitrack_legend () chello at>
Date: Wed, 07 Jan 2004 13:39:44 +0100
Dear Vuln-Dev's,Recently I had a simple idea about preventing hack attacks. Most buffer overflows are pretty happy calling /bin/bash as a final means to get an unauthorized root shell.
However, if we do not have any shell, what is going to happen ? There's no /bin/bash to call, thus, the exploit will surely crash some application, but its final goal will be thwarted.
Ofcourse we could rename /bin/bash to /bin/whatever_we_want, and thus add some security by obscurity, but the next exploit is going to cat /etc/shells or /etc/passwd, and then the attacker knows the name of the shell.
Anyhow, if we delete all shells... how safe are we, then ? (Ignoring the case that crontab might not work anymore...)
Thinking this farther, we are going to force the exploit developer to bring along his own binary code of /bin/bash. This may not be possible in every case, since the buffer overflow cannot hold so much data.
Or we could code some kernel module that restricts any permission to call /bin/bash by only a few selected trusted programs, i.e. /bin/login .
What do you think ? Please let me know. Yours, Alex
Current thread:
- Any takers? Revisiting mremap() Jeremy Junginger (Jan 06)
- Message not available
- Thwarting /bin/bash, an anti-overflow concept ? Alex Schütz (Jan 07)
- Re: Thwarting /bin/bash, an anti-overflow concept ? Josh Bressers (Jan 07)
- Re: Thwarting /bin/bash, an anti-overflow concept ? Bruno Lustosa (Jan 07)
- Re: Thwarting /bin/bash, an anti-overflow concept ? Kenneth Peiruza (Jan 07)
- Re: Thwarting /bin/bash, an anti-overflow concept ? security (Jan 07)
- Re: Thwarting /bin/bash, an anti-overflow concept ? Gerardo Richarte (Jan 07)
- Re: Thwarting /bin/bash, an anti-overflow concept ? Valdis . Kletnieks (Jan 07)
- Thwarting /bin/bash, an anti-overflow concept ? Alex Schütz (Jan 07)
- Message not available