Vulnerability Development mailing list archives

Subversive Dynamic Linking on UNIX Platforms

From: grugq <grugq () coredump cx>
Date: Mon, 5 Nov 2001 17:45:36 +0100

Hello,

I have recently written a paper on a new technique that enables UNIX
parasites to greatly expand their functionality.  UNIX parasites have been
recently recognized as a threat, but very little public work has been
addressed to parasitic techniques.  Without a clear understanding of the
capabilities of this emerging threat, how can the security industry hope to
adequately defend the Internet?  This paper goes some step towards revealing
an extremely powerful parasite technique that will hopefully awaken the world
to the potential of UNIX parasites.

Using this technique, developed into a methodology within the paper, it is
extremely simple to create parasites with potent payloads.  These parasites
can be used to backdoor processes, or binaries, presenting a clear and present
danger to the integrity of UNIX systems.  A mechanism for subverting a
process is about to be made public, so I shall refrain from discussing it
further.

This paper is availble in pdf from:

http://hcunix.7350.org/grugq/doc/subversiveld.pdf

"Development of feature rich Unix parasites has been severely limited by the
inability to reliably access functions external to the host file. Until now,
it has been accepted as fact that utilizing libraries from within parasite
code is a prohibitively complex task. We explore the dynamic linking mechan-
isms of the Executable and Linkable Format (ELF), and how these mechanisms can
be bypassed or hijacked to allow parasite code access to shared objects. We
demonstrate that it is not only possible, but also relatively simple, to load
libraries and resolve symbols using a methodology developed within this paper.
This methodology is simple to implement and can be utilized on any modern Unix
supporting both the ELF and the /proc file system. Implementations of this
methodology are presented for each of three popular Unix variants: Linux,
FreeBSD and Solaris."



peace,


grugq [ grugq () hcunix org ]

[Begin shameless self-promotion]
p.s. If you can offer me a job in the computer security field in either the UK
or Europe, please let me know.
[End shameless self-promotion]

Current thread:

Subversive Dynamic Linking on UNIX Platforms grugq (Nov 05)
- <Possible follow-ups>
- Re: Subversive Dynamic Linking on UNIX Platforms Shaun Clowes (Nov 08)