Re: *ICN - A Conspiracy of Inertia?

From: Dragos Ruiu (dr@kyx.net)
Date: 03/19/02 

Date: Tue, 19 Mar 2002 15:23:05 +0000
From: Dragos Ruiu <dr@kyx.net>
To: robert_david_graham <robert_david_graham@yahoo.com>

On Tue, 19 Mar 2002 16:53:08 -0500
robert_david_graham <robert_david_graham@yahoo.com> wrote:
> You could solve more than 50% of UNIX exploits if you simply hooked
> exec("/bin/sh") in the kernel. Likewise, detecting changes to
> /etc/inetd.conf would solve another large percentage of UNIX exploits.

It's not quite that simple. Oh but how easy it would be if it were.
There are many, many, shellcodes, trojans, rootkits, and other
nasties you don't often hear about :-).

I'm hearing so much these days about innovative ways to hide rootkits. :-)
I think that the old ingreslock style inetd.conf rootkits are left
to primarily the domain of the script kiddies and beginners...

Similarly, there are so many alternatives to exec("/bin/sh") that you would
get little but a false sense of security if you only blocked this.

> On the other hand, I do feel guilty sometimes for being a purist about it.
> E.g. BlackICE never had generic NOP sled detection because I was too much of
> a purist; it is so easily evadable I'm still surprised why people haven't
> done something like replace 0x90 with 0x43 (inc ebx): the first thing most
> shell code is overwrite ebx anyway. It really is a conspiracy of intertia
> that we reject the simplest solutions while hunting for the more complex
> "pure" solutions.

Well not all NOP sled detectors are so easily evadable.

All I have to say is <fnord>. :-)

http://cansecwest.com/spp_fnord.c :-) 

-- 
--dr                  pgpkey: http://dragos.com/dr-dursec.asc
      CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com