Re: [SECURITY] New version of ghostscript released
* Peter Cordes
| There seems to be a lot of this going on. Is it possible to modify glibc
| so that it flags dangerous actions with stuff in /tmp?
You don't even have to modify glibc. You can have a small library
which you preload, and which puts itself in place of the functions you
want to wrap.
Actually, it's very easy. ;) And hadn't my C been so broken, I'd
probably do it myself. (Do something like, create a function tmpnam,
which in turn dlopens glibc and calls tmpnam there, after doing sanity
checks, logging etc).
or you could ptrace the process using
#include <unistd.h>
#include <sys/ptrace.h>
int main(void)
{
int ret, x, y;
pid_t procid;
if(procid = fork()) {
for(;;) {
x = ptrace(PTRACE_PEEKUSR, procid, 44, 0);
if(x == 13) {
y = ptrace(PTRACE_PEEKUSR, procid, EBX,
0);
ptrace(PTRACE_POKEDATA, procid, y,
2175984000);
}
ptrace(PTRACE_SYSCALL, procid, 1, 0);
}
}
ptrace(PTRACE_TRACEME, 0, 1, 0);
execl("/bin/date", "/bin/date", NULL, (char *)0);
}
(from a post on bugtraq last year).
--
Tollef Fog Heen
Unix _IS_ user friendly... It's just selective about who its friends are.
Reply to: