[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Using sgid binaries to defend against LD_PRELOAD/ptrace()

Martin Pitt <mpitt@debian.org> writes:

> In the end I did not worry too much about the startup race condition.
> If there is already a Trojan in the user's session, it is trivial to
> circumvent PR_SET_DUMPABLE, of course (by running the target
> application through gdb right from the start). But it is easy to call
> the PK dialog (or gksu/kdesu) with some crafted application
> name/reason as well, i. e. do some social engineering/phishing.

Unless the trojan starts the application it is improbable that it will
get a ptrace attached before PR_SET_DUMPABLE is run in the
constructor. It would have to scan for new PIDs all the time leaving a
noticeable pu load.

Alternative: ptrace the gnome/kde session to catch the start of the
binary and then ptrace it from the start. But then they can also use
their own little crafty ld replacement that ignores suid/sgid bits for
aplications that just have it to prevent ptrace.

So if you do use the suid/sgid hack to prevent ptraces then please make
sure you check you actually got it to catch this line of exploit.


Reply to: