[Cialug] Nix Shared Code Injection

John.Lengeling at radisys.com John.Lengeling at radisys.com
Thu Jan 5 13:31:31 CST 2006 

Thinking off the top of my head...

Under UNIX, there isn't an API call (that I know of...) which would do the 
same thing as Windows, but there are several ways of injecting code or 
getting a process to run arbitrary code:

1. R/W access to the Kernel memory - If you have r/w access, you can 
access any part of the kernel or any process's memory.  Plus the ghost is 
up for anything else since  you can easily get root access.
2. R/W access to the Process memory - If  you have r/w access, you can 
change code/data in the process's memory space.  And if the process has 
root permissions, then even better.
3. Buffer overflows - If you can overflow a buffer, you can force the 
process to execute arbitrary code.  See information on Morris Worm.
4. Intercepting exec/forks of new processes -  Badly written exec/fork 
code can be compromised by executing some other program. 
 



Chris Hilton <chris129 at cs.iastate.edu> 
Sent by: cialug-bounces at cialug.org
01/05/2006 01:05 PM
Please respond to
Central Iowa Linux Users Group <cialug at cialug.org>


To
Central Iowa Linux Users Group <cialug at cialug.org>, amesfug at amesfug.org
cc

Subject
[Cialug] Nix Shared Code Injection






I've got a theoretical question.  It's come to my attention that the way 
in 
which a lot of spyware works is through some API's in Windows (apparently 
written for debuggers)  by injecting a dll into another running process. 
The 
standard process permissions apply, but you can inject from say bob.exe 
into 
iexplorer.exe.
My question is about Nix though.  Does anyone know if this can be done on 
Nix?

I've looked into Sys V IPC for shared memory and mmap and neither look 
like 
you could involuntarily to anything to another processes memory space 
(it'd 
have to open the same IPC location if I read correctly).
I also looked at processes look like under gdb, and not under it:  They 
look 
exactly the same.  I compared /proc/`pidof procName`/maps to compare.

I'm not finding anything to suggest a way to do this, at least not a way 
that 
wouldn't be against what the documentation says.  Does anyone know more 
about 
this?  It's peaked my curiousity.


On a side note.  This is why zonealarm doesn't stop nearly as much spyware 
as 
it used to.  Since spyware can hitch its own dll on iexplorer and do its 
sends from there it looks like iexplorer is connecting to the net; and no 
one 
but a firefox user, who doesn't run updates, would refuse that ;).


-- 
"The only winning move is not to play."
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20060105/8d887587/attachment.htm

More information about the Cialug mailing list