Re: Remote exploitation of network scanners?

[Peter Pentchev <roam () ORBITEL BG>]

On Thu, Aug 31, 2000 at 01:37:05PM +0200, Bluefish (P.Magnusson) wrote:
> I'm not overly familiar with this "Snoop" or any other of these scanners,
> but....
>
> Can't they be placed inside some kind of home-made containment (sandbox,
> or what ever word you prefere). Such as chrooting, dropping capability to
> chroot and so on. [would be better if the developers themselves adding
> this to their scanners, but until then]

In that regard..

I just had a funny idea - how about a application preloader or something
that intercepts syscalls and/or library function calls, and when the time
comes (configurable), drops privileges?  setuid(nobody) and stuff?

Configurable on a per-application basis, as to just when the time has
come - e.g. after a socket(), or after a bind(), or something like that..
Has anybody thought along those lines?  Is there something already out
there, or should I try to tackle this as an exercise in messing with
the loader? :)

(And yes, I am aware of the portability problems in intercepting
 syscalls.. I might just as well give it a try, based on strace, and
 fbsd's ktrace.. or something..)

G'luck,
Peter

--
When you are not looking at it, this sentence is in Spanish.