| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAObL_7FeZQpnOzpXHqSviZdBRUCL+rODbQOBb+6JPSd3PB=fig@mail.gmail.com> Date: Sat, 6 Aug 2011 09:15:45 -0400 From: Andrew Lutomirski <luto@....edu> To: Tejun Heo <tj@...nel.org> Cc: Matt Helsley <matthltc@...ibm.com>, Pavel Emelyanov <xemul@...allels.com>, Nathan Lynch <ntl@...ox.com>, Oren Laadan <orenl@...columbia.edu>, Daniel Lezcano <dlezcano@...ibm.com>, S@....edu, "James E.J. Bottomley" <JBottomley@...allels.com>, "David S. Miller" <davem@...emloft.net>, linux-kernel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [EXAMPLE CODE] Parasite thread injection and TCP connection hijacking On Sat, Aug 6, 2011 at 9:00 AM, Tejun Heo <tj@...nel.org> wrote: > Hello, > > On Sat, Aug 06, 2011 at 08:45:28AM -0400, Andy Lutomirski wrote: >> > 2. Decide where to inject the foreign code and save the original code >> > with PTRACE_PEEKDATA. Tracer can poke any mapped area regardless >> > of protection flags but it can't add execution permission to the >> > code, so it needs to choose memory area which already has X flag >> > set. The example code uses the page the %rip is in. >> >> If the process is executing from the vsyscall page, then you'll >> probably fail. (Admittedly, this is rather unlikely, given that the >> vsyscalls are now exactly one instruction.) Presumably you also >> fail if executing from a read-only MAP_SHARED mapping. > > Heh, yeah, I originally thought about scanning /proc/PID/maps to look > for the page to use but was lazy and just used %rip. I think that > should work. I'll note the problem in README. > >> Windows has a facility to more-or-less call mmap on behalf of >> another process, and another one to directly inject a thread into a >> remote process. It's traditional to use them for this type of >> manipulation. Perhaps Linux should get the same thing. (Although >> you could accomplish much the same thing if you could create a task >> with your mm but the tracee's fs.) > > Actually, the only thing we need on x86_64 is two bytes for the > syscall instruction because all params are passed through registers > anyway. We can just set up parameters for mmap, turn on single step, > point %rip to syscall in the vsyscall page. So, either way, I don't > think this would be too difficult to solve. Not any more -- that syscall instruction is gone as of 3.1. You could search through the vdso to find a syscall, but that seems fragile. Why not just add a ptrace command to issue a syscall? --Andy -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists