Full Disclosure mailing list archives
Re: PHP dlopen() -> Fun with apache (and other
From: andrewg () felinemenace org
Date: Wed, 13 Aug 2003 04:18:41 -0700
On Wed, Aug 13, 2003 at 02:03:21PM +0200, Stefan Esser wrote:
Hello, well you describe nothing more than the documented functionality of the dlopen() call.
I don't see it disabled by default when I was last playing with it - in some cases the admins may not know to disable dlopen / enable safe mode, or the users like having safe mode off. Or, alternatively, the admins might just disable the exec functions. But yes, I agree, though the point would be that most users have nfi about dlopen
You can also have a lot of fun with loading linux kernel modules if your admin allows users to load kernel moduels.
True, but I don't see any distros/os's doing that by default. Given the general state of security, I'd be surprised if most users disabled the dlopen functionality, if they have multiple users on the box.
And stealing SSL private key from apache memory is not really a challenge... You only need to search for some signature in memory and "steal" the next few byte behind it.
I don't see much documentation/notes on this around the place - its quite interesting I think, especially more for learning methods of searching memory (well, shellcode is more). Generally speaking, this also will alert people to how easy it is to make off with your SSL keys, where as they would more likely store them encrypted on disk.
Stefan Esser -- -------------------------------------------------------------------------- Stefan Esser s.esser () e-matters de e-matters Security http://security.e-matters.de/ GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C AE69 -------------------------------------------------------------------------- Did I help you? Consider a gift: http://wishlist.suspekt.org/ --------------------------------------------------------------------------
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- PHP dlopen() -> Fun with apache (and other andrewg (Aug 13)
- Re: PHP dlopen() -> Fun with apache (and other Stefan Esser (Aug 13)
- Re: PHP dlopen() -> Fun with apache (and other andrewg (Aug 13)
- Re: PHP dlopen() -> Fun with apache (and other Andreas Gietl (Aug 13)
- Re: PHP dlopen() -> Fun with apache (and other Stefan Esser (Aug 13)