Hi, Attached pls find a diff file to LIDS for LSM which adding shellcode detection and prevention. It is a very simple one and can detect if a command parameter or enviroment string contain shellcode and if the length is too long. When the parameter/env length is too long, it will print out a message to warn you, and if found shellcode at the same time, it will stop the program. This checking only apply to the setuid/setgid program. It is very simple way to check the shellcode, it only check the system call assemble code, for example, for I386, it is "\xcd\x80". Now we can support only I386, MIPS, SPARC and PPC. During the test, it have succefully detect and prevent some of the local buffer overflow attack. like su, xlock..Here is some log exmple show on my machine, LIDS: bash (dev 3:2 inode 80747) pid 20450 ppid 20445 uid/gid (500/500) on (ttyp) : Found overlong parameters when exec /usr/X11R6/bin/xlock: length = 4095 LIDS: bash (dev 3:2 inode 80747) pid 20450 ppid 20445 uid/gid (500/500) on (ttyp) : Shellcode detected when exec /usr/X11R6/bin/xlock, program terminated! Without this feature, the exploit code can get a rootshell, now it can be stop! to use it, download the lastest version of LIDS for LSM using bitkeeper or download it from lsm.immnuix.org. and then apply this patch to it. Enjoy it and reporting bugs, Huagang -- LIDS secure linux kernel http://www.lids.org/ 1024D/B6EFB028 4731 2BF7 7735 4DBD 3771 4E24 B53B B60A B6EF B028
This archive was generated by hypermail 2b30 : Thu May 23 2002 - 16:16:54 PDT