Security Incidents mailing list archives
RE: Suspicious files in /tmp
From: kaneda () bohater net
Date: Thu, 21 Jun 2007 19:09:21 +0200 (CEST)
On Wed, 20 Jun 2007, Thyago Braga da Silva wrote: :] A binary which you have NOT permission to execute but only to read, it can :] be executed. Morning... On 2.6 kernel its not possible JUST run directly from noexec partition: [@ogoreczek ~]$ /lib/ld-linux.so.2 /tmp/ls /tmp/ls: error while loading shared libraries: /tmp/ls: failed to map segment from shared object: Operation not permitted /dev/hda2 on /tmp type ext3 (rw,noexec) but of course You can still use other interpreter: [@ogoreczek /tmp]$ /usr/bin/perl /tmp/a.pl lpr [@ogoreczek /tmp]$ /lib/ld-linux.so.2 /usr/bin/perl /tmp/a.pl lpr [@ogoreczek /tmp]$ cat a.pl #!/usr/bin/perl print "lpr\n"; Kanedaaa :] :] On Tue, 19 Jun 2007 13:33:21 +1200, Robin Sheat said: :] > I think it's also the case (I don't have a noexec partition handy to :] > test on) that you can get around this by doing something like: :] > /lib/ld-linux.so.2 /tmp/mybadbinary :] > e.g.: :] > /lib/ld-linux.so.2 /bin/ls :] :] This particular trick was closed in the 2.6.0 kernel. I am *not* sure :] whether the fix was backported to the 2.4 kernel or not. :] -- [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][].. [+] You can take our lives,but you will never take our Freedom - W.Wallace [+] Peace on earth depends on the peace in the peoples hearts - Dalai Lama [+] Revolution the only solution - System of a down... [+] Dalej idac dalej dojdziesz dalej siedzac dalej siedzisz - etoe aka ok0 [-] Kanedaaa... Bohateur... Cucumber Team Member... kaneda () bohater net ------------------------------------------------------------------------- This list sponsored by: SPI Dynamics ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E --------------------------------------------------------------------------
Current thread:
- Re: Suspicious files in /tmp, (continued)
- Re: Suspicious files in /tmp Matt D. Harris (Jun 18)
- Re: Suspicious files in /tmp Michal Zalewski (Jun 19)
- Re: Suspicious files in /tmp Matt D. Harris (Jun 19)
- Re: Suspicious files in /tmp Michal Zalewski (Jun 19)
- Message not available
- Re: Suspicious files in /tmp Michal Zalewski (Jun 20)
- Re: Suspicious files in /tmp Michal Zalewski (Jun 19)
- Re: Suspicious files in /tmp Matt D. Harris (Jun 18)
- Re: Suspicious files in /tmp Rainer Duffner (Jun 19)
- Re: Suspicious files in /tmp Rainer Duffner (Jun 19)
- Re: Suspicious files in /tmp Robin Sheat (Jun 19)
- Re: Suspicious files in /tmp Valdis . Kletnieks (Jun 20)
- RE: Suspicious files in /tmp Thyago Braga da Silva (Jun 21)
- RE: Suspicious files in /tmp kaneda (Jun 21)
- Re: Suspicious files in /tmp Eduardo Tongson (Jun 22)
- Re: Suspicious files in /tmp Cy Schubert (Jun 21)