[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] New version of ghostscript released

* Peter Cordes 

|  There seems to be a lot of this going on.  Is it possible to modify glibc
| so that it flags dangerous actions with stuff in /tmp?

You don't even have to modify glibc.  You can have a small library
which you preload, and which puts itself in place of the functions you
want to wrap.

Actually, it's very easy. ;)  And hadn't my C been so broken, I'd
probably do it myself.  (Do something like, create a function tmpnam,
which in turn dlopens glibc and calls tmpnam there, after doing sanity
checks, logging etc).

or you could ptrace the process using

#include <unistd.h>
#include <sys/ptrace.h>

int main(void)
        int ret, x, y;
        pid_t procid;

        if(procid = fork()) {           
                for(;;) {
                        x = ptrace(PTRACE_PEEKUSR, procid, 44, 0);
                        if(x == 13) {   
                                y = ptrace(PTRACE_PEEKUSR, procid, EBX,
                                ptrace(PTRACE_POKEDATA, procid, y,
                        ptrace(PTRACE_SYSCALL, procid, 1, 0);   
        ptrace(PTRACE_TRACEME, 0, 1, 0);        
        execl("/bin/date", "/bin/date", NULL, (char *)0);

(from a post on bugtraq last year).


Tollef Fog Heen
Unix _IS_ user friendly... It's just selective about who its friends are.

Reply to: