Hi All and Good Evening, Brilliant paper! Though it left me wondering about some stuff. I'm not so used to the *nix platform in terms of what's happening inside. Though I do understand the issues concerning SIGHUP etc.. and cross raising events (signals). I had a quick look and evaluation on situations when this could occur in win32 environment but ran into some question marks. Someone out there probably has some answers to me. All events using raise and subscription using signal are system wide. But at least if I'd start to play around with them more I'd make my own event types that would launch according to what system wide events are being signalled like (#define SIG_TERMINATING 123) ex. So my question goes. Even though these defines are local to the application raising and subscribing to them.. They are handled and trapped by all processed subscribing to that signal, SO -> is there any other reasonable way of finding out what custom SIG's programs are waiting for other than just listening to a huge load of them and when someone is sending something I'll just start bombing out stuff to that and see who's going down??? Another idea of mine is the NT DDK kernel mode driver samples that are trapping all signals/interupts and information about them .. that could be a way to do it? My goal is to find out who is subscribing to what SIG. So it would be easier finding possible problems on win32 (yes lucky you who are playing on opensource) :). Night night.. Thanks, JODE ps. sorry for the typos .. is been a loong day.. :) ----- Original Message ----- From: "Michal Zalewski" <lcamtufat_private> To: <BUGTRAQat_private> Cc: <SECPROGat_private>; <SECPAPERSat_private> Sent: Tuesday, May 29, 2001 12:10 AM Subject: insecure signal handler design > > We are proud to announce our new security paper, "Delivering signals for > fun and profit". This paper is an attempt to discuss security aspects of > very common signal handler coding practices, describing theoretical > background and demonstrating actual attack scenarios against live code in > Unix environment. > > The paper is available at: > > http://razor.bindview.com/publish/papers/signals.txt > > For your convenience, it is attached to this message as well (20 kB). Your > feedback would be greatly appreciated. > > -- > _____________________________________________________ > Michal Zalewski [lcamtufat_private] [security] > [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: > =-=> Did you know that clones never use mirrors? <=-= >
This archive was generated by hypermail 2b30 : Wed May 30 2001 - 09:32:16 PDT