Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: (Shellcode Injection)

From: Crispin Cowan <crispin () immunix com>
Date: Mon, 15 Dec 2003 03:30:09 +0000

ljknews wrote:


At 12:05 PM -0800 12/13/03, Crispin Cowan wrote:
 


A common form of attack against Unix and Windows (and in fact many other platforms) is to:

1. Inject malicious code into a victim process's address space.
2. Induce the program to jum to the malicious code.

The malicious code often spawns a shell,
   


External to the defective program, that could be avoided by running
the program in a process with insufficient quota to spawn a subprocess
(on operating systems that support such).

"May not spawn anything at all" is highly restrictive for most programs. 
The Immunix OS SubDomain <http://immunix.org/subdomain.html> feature 
lets you specify the set of programs that a given program may spawn.



 * The malicious code does not always have to be injected, it can also
   be in the program's text segment, colloquially known as "return
   into libc" attack.
 * Inducing the program to jump to the malicious code can be effected
   in a variety of ways, including buffer overflows, printf format
   string attacks, and other type safety violations endemic to the C
   and C++ languages.
   


The community I frequent describes all of those as "buffer overflow"
and does not concern itself with the details of what happens after
control is transferred.

Fair enough. You only need to care about the specific details if you are 
trying t specifically mitigate the problem.


Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com
Immunix 7.3           http://www.immunix.com/shop/
Previous By Date Next
Previous By Thread Next

Current thread: