Site hosted by Build your free website today!


Penetrator MegaBlaster
page #1

Please click the refresh button on your browser in order to get the updated page.

Penetrator MegaBlaster is a kernel module that detects & stops overflow attacks (like the famous buffer overflow attack), which aim to get an interactive access to the system (for example, open a new shell). Penetrator MegaBlaster was written by Boris Litvak, Alex Fishgate & Eyal Serrero, with the guidance of Amichai Shulman. Advices by Gennady Litvak saved tons of time. It was tested on Red Hat Linux 6.0 and on Red Hat Linux 5.2.

The main idea is very simple:

The purpose of overflow attack which aims to get an interactive access is to execute an interactive program (for example, shell) from the attacked program, which permissions include SET UID or SET GUID bit. If the permissions don't include one of this bits, The interactive program will be opened with the attacker's permissions exactly, which is not interesting to her.

Penetrator MegaBlaster is basically a module that replaces the 'execve' system call handler. After it finishes all the checking, it calls the original handler.

System administrator should have an access file with lines in a following format:
(name of the SET UID program from which the execve is called) (space) (uid or '*' for all users) (space) (path of the program being called).
MegaBlaster checks for execution permissions in this file for all execve's from SET UID programs. For example, upon executing shell from finger by user 500, MegaBlaster will look for
fingerd 500 /bin/sh or fingerd * /bin/sh
in the access file. If it doesn't find one of those lines, the access is denied. Simple. All the reports by the MegaBlaster can be viewed easily: grep MegaBlaster /var/log/messages | more.

Notes: the idea can be extended at least by 4 ways:
1) Adding options to MegaBlaster activations (4 currently).
2) Inserting it as a patch into the kernel.
3) Implementing the idea on other OS.
4) Selling the idea to Bill Gates (probably the best out of 4).

You can find all the MegaBlaster files and installation instructions on the next page.

See also:

  • StackGuard
  • SecuriTeam
  • Known attacks
  • Next Page

    This page is managed by Boris Litvak.

    (unique IP's since 20/9/1999)