[Cialug] Nix Shared Code Injection

John.Lengeling at radisys.com John.Lengeling at radisys.com
Thu Jan 5 15:29:34 CST 2006 

Open up /dev/mem /dev/kmem.   I am sure that newer *Nix would have newer 
safeguards, my experience is with old *Nix.  But in the past, if you have 
r/w access to kernel memory, you can easily compromise a system. 

johnl



Chris Hilton <chris129 at cs.iastate.edu> 
Sent by: cialug-bounces at cialug.org
01/05/2006 02:04 PM
Please respond to
Central Iowa Linux Users Group <cialug at cialug.org>


To
Central Iowa Linux Users Group <cialug at cialug.org>
cc

Subject
Re: [Cialug] Nix Shared Code Injection






How could you have read write access to another process's memory without 
it 
explicitly giving it to you via shared memory?

On Thursday 05 January 2006 13:31, John.Lengeling at radisys.com wrote:
> Thinking off the top of my head...
>
> Under UNIX, there isn't an API call (that I know of...) which would do 
the
> same thing as Windows, but there are several ways of injecting code or
> getting a process to run arbitrary code:
>
> 1. R/W access to the Kernel memory - If you have r/w access, you can
> access any part of the kernel or any process's memory.  Plus the ghost 
is
> up for anything else since  you can easily get root access.
> 2. R/W access to the Process memory - If  you have r/w access, you can
> change code/data in the process's memory space.  And if the process has
> root permissions, then even better.
> 3. Buffer overflows - If you can overflow a buffer, you can force the
> process to execute arbitrary code.  See information on Morris Worm.
> 4. Intercepting exec/forks of new processes -  Badly written exec/fork
> code can be compromised by executing some other program.
>
>
>
>
> Chris Hilton <chris129 at cs.iastate.edu>
> Sent by: cialug-bounces at cialug.org
> 01/05/2006 01:05 PM
> Please respond to
> Central Iowa Linux Users Group <cialug at cialug.org>
>
>
> To
> Central Iowa Linux Users Group <cialug at cialug.org>, amesfug at amesfug.org
> cc
>
> Subject
> [Cialug] Nix Shared Code Injection
>
>
>
>
>
>
> I've got a theoretical question.  It's come to my attention that the way
> in
> which a lot of spyware works is through some API's in Windows 
(apparently
> written for debuggers)  by injecting a dll into another running process.
> The
> standard process permissions apply, but you can inject from say bob.exe
> into
> iexplorer.exe.
> My question is about Nix though.  Does anyone know if this can be done 
on
> Nix?
>
> I've looked into Sys V IPC for shared memory and mmap and neither look
> like
> you could involuntarily to anything to another processes memory space
> (it'd
> have to open the same IPC location if I read correctly).
> I also looked at processes look like under gdb, and not under it:  They
> look
> exactly the same.  I compared /proc/`pidof procName`/maps to compare.
>
> I'm not finding anything to suggest a way to do this, at least not a way
> that
> wouldn't be against what the documentation says.  Does anyone know more
> about
> this?  It's peaked my curiousity.
>
>
> On a side note.  This is why zonealarm doesn't stop nearly as much 
spyware
> as
> it used to.  Since spyware can hitch its own dll on iexplorer and do its
> sends from there it looks like iexplorer is connecting to the net; and 
no
> one
> but a firefox user, who doesn't run updates, would refuse that ;).

-- 
"The only winning move is not to play."
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20060105/ae99860c/attachment-0001.html

More information about the Cialug mailing list