[Cialug] Nix Shared Code Injection
Nathan C. Smith
smith at ipmvs.com
Thu Jan 5 14:12:04 CST 2006
Buffer overrun
-----Original Message-----
From: Chris Hilton [mailto:chris129 at cs.iastate.edu]
Sent: Thursday, January 05, 2006 2:04 PM
To: Central Iowa Linux Users Group
Subject: Re: [Cialug] Nix Shared Code Injection
How could you have read write access to another process's memory without it
explicitly giving it to you via shared memory?
On Thursday 05 January 2006 13:31, John.Lengeling at radisys.com wrote:
> Thinking off the top of my head...
>
> Under UNIX, there isn't an API call (that I know of...) which would do
> the same thing as Windows, but there are several ways of injecting
> code or getting a process to run arbitrary code:
>
> 1. R/W access to the Kernel memory - If you have r/w access, you can
> access any part of the kernel or any process's memory. Plus the ghost
> is up for anything else since you can easily get root access. 2. R/W
> access to the Process memory - If you have r/w access, you can change
> code/data in the process's memory space. And if the process has root
> permissions, then even better. 3. Buffer overflows - If you can
> overflow a buffer, you can force the process to execute arbitrary
> code. See information on Morris Worm. 4. Intercepting exec/forks of
> new processes - Badly written exec/fork code can be compromised by
> executing some other program.
>
>
>
>
> Chris Hilton <chris129 at cs.iastate.edu>
> Sent by: cialug-bounces at cialug.org
> 01/05/2006 01:05 PM
> Please respond to
> Central Iowa Linux Users Group <cialug at cialug.org>
>
>
> To
> Central Iowa Linux Users Group <cialug at cialug.org>,
> amesfug at amesfug.org cc
>
> Subject
> [Cialug] Nix Shared Code Injection
>
>
>
>
>
>
> I've got a theoretical question. It's come to my attention that the
> way in which a lot of spyware works is through some API's in Windows
> (apparently written for debuggers) by injecting a dll into another
> running process. The
> standard process permissions apply, but you can inject from say bob.exe
> into
> iexplorer.exe.
> My question is about Nix though. Does anyone know if this can be done on
> Nix?
>
> I've looked into Sys V IPC for shared memory and mmap and neither look
> like you could involuntarily to anything to another processes memory
> space (it'd
> have to open the same IPC location if I read correctly).
> I also looked at processes look like under gdb, and not under it: They
> look
> exactly the same. I compared /proc/`pidof procName`/maps to compare.
>
> I'm not finding anything to suggest a way to do this, at least not a
> way that wouldn't be against what the documentation says. Does anyone
> know more about
> this? It's peaked my curiousity.
>
>
> On a side note. This is why zonealarm doesn't stop nearly as much
> spyware as it used to. Since spyware can hitch its own dll on
> iexplorer and do its sends from there it looks like iexplorer is
> connecting to the net; and no one
> but a firefox user, who doesn't run updates, would refuse that ;).
--
"The only winning move is not to play."
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug
More information about the Cialug
mailing list