Re: insecure signal handler design

From: Joakim Sandstrom (jodeat_private)
Date: Tue May 29 2001 - 14:42:36 PDT

  • Next message: James Antill: "Re: FormatGuard"

    Hi All and Good Evening,
    
    
    
    Brilliant paper! Though it left me wondering about some stuff. I'm not so
    used to the *nix platform in terms of what's happening inside. Though I do
    understand the issues concerning SIGHUP etc.. and cross raising events
    (signals). I had a quick look and evaluation on situations when this could
    occur in win32 environment but ran into some question marks. Someone out
    there probably has some answers to me. All events using raise and
    subscription using signal are system wide. But at least if I'd start to play
    around with them more I'd make my own event types that would launch
    according to what system wide events are being signalled like (#define
    SIG_TERMINATING 123) ex. So my question goes. Even though these defines are
    local to the application raising and subscribing to them.. They are handled
    and trapped by all processed subscribing to that signal, SO -> is there any
    other reasonable way of finding out what custom SIG's programs are waiting
    for other than just listening to a huge load of them and when someone is
    sending something I'll just start bombing out stuff to that and see who's
    going down??? Another idea of mine is the NT DDK kernel mode driver samples
    that are trapping all signals/interupts and information about them .. that
    could be a way to do it?  My goal is to find out who is subscribing to what
    SIG. So it would be easier finding possible problems on win32 (yes lucky you
    who are playing on opensource) :). Night night..
    
    
    
    Thanks,
    
           JODE
    
    ps. sorry for the typos .. is been a loong day.. :)
    
    
    
    ----- Original Message -----
    From: "Michal Zalewski" <lcamtufat_private>
    To: <BUGTRAQat_private>
    Cc: <SECPROGat_private>; <SECPAPERSat_private>
    Sent: Tuesday, May 29, 2001 12:10 AM
    Subject: insecure signal handler design
    
    
    >
    > We are proud to announce our new security paper, "Delivering signals for
    > fun and profit". This paper is an attempt to discuss security aspects of
    > very common signal handler coding practices, describing theoretical
    > background and demonstrating actual attack scenarios against live code in
    > Unix environment.
    >
    > The paper is available at:
    >
    >   http://razor.bindview.com/publish/papers/signals.txt
    >
    > For your convenience, it is attached to this message as well (20 kB). Your
    > feedback would be greatly appreciated.
    >
    > --
    > _____________________________________________________
    > Michal Zalewski [lcamtufat_private] [security]
    > [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
    > =-=> Did you know that clones never use mirrors? <=-=
    >
    



    This archive was generated by hypermail 2b30 : Wed May 30 2001 - 09:32:16 PDT