Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Capturing System Calls

From: job () ITSX COM (Job de Haas)
Date: Fri, 23 Jun 2000 13:58:16 +0200

Hi,


I was thinking along these lines too. I haven't actually gotten
my hands on
the application yet but considering it's a security product it's probably
statically linked.

One more stipulation of the test, I'm not allowed to run it "wrapped" by
another program, truss, strace, etc...


It depends on your definition of wrapping and on the privs the program runs
under and from the priv you want to attack.

apptrace, sotruss etc. 'wrap' in the sense that they use the dynamiclinking
facility to intercept.

truss, strace etc. do not. They use ptrace to inspect the system calls.
ptrace can be used to inspect processes based on their PID and thus without
'wrapping'. You can do it on processes that are already running and also
works fine on statically linked binaries. Only a sound ptrace implementation
won't let you cross privilege boundaries.

An example of runtime modification of /usr/bin/date was shown in a bugtraq
thread:

http://www2.merton.ox.ac.uk/~security/bugtraq-199905/0164.html

( The securityfocus references are just awefull )

Job
Previous By Date Next
Previous By Thread Next

Current thread: