The main idea is very simple:
The purpose of overflow attack which aims to get an interactive access is to execute an interactive program (for example, shell) from the attacked program, which permissions include SET UID or SET GUID bit. If the permissions don't include one of this bits, The interactive program will be opened with the attacker's permissions exactly, which is not interesting to her.
Penetrator MegaBlaster is basically a module that replaces the 'execve' system call handler. After it finishes all the checking, it calls the original handler.
System administrator should have an access file
with lines in a following format:
(name of the SET UID program from which the execve is called) (space) (uid or '*' for all users) (space) (path of the program being called).
MegaBlaster checks for execution permissions in this file for all execve's from SET UID programs. For example, upon executing shell from finger by user 500, MegaBlaster will look for
fingerd 500 /bin/sh or fingerd * /bin/sh
in the access file. If it doesn't find one of those lines, the access is denied. Simple. All the reports by the MegaBlaster can be viewed easily: grep MegaBlaster /var/log/messages | more.
Notes: the idea can be extended at least by 4 ways:
1) Adding options to MegaBlaster activations (4 currently).
2) Inserting it as a patch into the kernel.
3) Implementing the idea on other OS.
4) Selling the idea to Bill Gates (probably the best out of 4).
You can find all the MegaBlaster files and installation instructions on the next page.
|(unique IP's since 20/9/1999)|