[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-security-module
Subject: Re: shellcode detection and prevention in LIDS
From: Valdis.Kletnieks () vt ! edu
Date: 2002-05-24 3:45:27
[Download RAW message or body]
On Thu, 23 May 2002 16:20:58 PDT, Huagang Xie said:
> When the parameter/env length is too long, it will print out a message to
> warn you, and if found shellcode at the same time, it will stop the
> program. This checking only apply to the setuid/setgid program. It is very
> simple way to check the shellcode, it only check the system call assemble
> code, for example, for I386, it is "\xcd\x80". Now we can support only
> I386, MIPS, SPARC and PPC. During the test, it have succefully detect and
> prevent some of the local buffer overflow attack. like su, xlock..Here is
> some log exmple show on my machine,
First off, let me say this patch (which I have NOT tried) looks like a
Very Good Thing overall. However, I see 2 weaknesses offhand:
1) It does not help if the shellcode sled is smaller than your
SHELLCODE_LENGTH variable (which could easily be the case, for instance,
if the exploit attacks a 64-byte long buffer - see the xntpd exploit,
which was an off-by-one on a 128-byte buffer, if I remember right).
2) If the shellcode does an XOR-trick to mask the \xc\x80, similar to
the usual techniques for embedding nulls, your code won't stop that either.
But as long as you realize it has limits, it looks good....
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
[Attachment #3 (application/pgp-signature)]
_______________________________________________
linux-security-module mailing list
linux-security-module@wirex.com
http://mail.wirex.com/mailman/listinfo/linux-security-module
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic