RE: Thwarting /bin/bash, an anti-overflow concept ?

["Altheide, Cory B." <AltheideC () nv doe gov>]

> -----Original Message-----
> From: Alex Schütz [mailto:antitrack_legend () chello at] 
> Sent: Wednesday, January 07, 2004 4:40 AM
> To: vuln-dev
> Subject: Thwarting /bin/bash, an anti-overflow concept ?
>
>
>
> Dear Vuln-Dev's,
>
> Recently I had a simple idea about preventing hack attacks. 
> Most buffer 
> overflows are pretty happy calling /bin/bash as a final means 
> to get an 
> unauthorized root shell.
 
...

> Thinking this farther, we are going to force the exploit 
> developer to bring 
> along his own binary code of /bin/bash. This may not be 
> possible in every 
> case, since the buffer overflow cannot hold so much data.

I think you are mistakenly stuck on bash.

One could easily embed something like Tiny shell:
http://linux.tucows.com/preview/306138.html (or similar) into the exploit
post-overflow and achieve the same effect.

Please don't be angered or offended if I've overlooked something in your
post. ;)

Thanks!

Cory Altheide
Senior Network Forensics Specialist
NNSA Information Assurance Response Center (IARC)
altheidec () nv doe gov