if this problem (as described in the uml security slide thing) has been
fixed already then just go ahead and ignore this post...
<disclaimer>
im tired, i have a caffine headache, and i still havnt gotten over
monday yet, so please take this post with a grain of salt as i make no
pretense of being correct on any of this, blah blah blah, whatever...
</disclaimer>
ok, so if im not mistaken lcall's are done through callgates yes?, these
call gate descriptors are located in the process'es local descriptor
table yes?...well with the use of my favorite undocumented linux syscall
(mostly undocumented anyways), modify_ldt(), we should be able to remove
these descriptors from our LDT yes?...if we replace them with one that
has the segment not present bit set, then should it not generate a
segment not present exception whenever the annoying user tries to call
with that selector?...im not sure what signal a process will get sent
when it when that happens (probably just a sigsegv or sigbus or
something), but if you really wanted to go all out you could even use do
some trickery at the point it got that signal to deturmine where in the
code the signal came from (checking info on that processes stack i
presume, i dont know enough about how uml works to presume to do that
part) and then check to see if its a call instruction with that tell
tale selector in it...if so then some voodoo could be done to then fake
the lcall syscall with a standard int 0x80 one...
dont know if that will work (or even if it made sense) but it was my
first thoughts upon seeing that slide show thing...
when i get some time to play ill see if i cant sanity check what i just
said and give it a shot...
--Abaddon
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
if this problem (as described in the uml security slide thing) has been
fixed already then just go ahead and ignore this post...
<disclaimer>
im tired, i have a caffine headache, and i still havnt gotten over
monday yet, so please take this post with a grain of salt as i make no
pretense of being correct on any of this, blah blah blah, whatever...
</disclaimer>
ok, so if im not mistaken lcall's are done through callgates yes?, these
call gate descriptors are located in the process'es local descriptor
table yes?...well with the use of my favorite undocumented linux syscall
(mostly undocumented anyways), modify_ldt(), we should be able to remove
these descriptors from our LDT yes?...if we replace them with one that
has the segment not present bit set, then should it not generate a
segment not present exception whenever the annoying user tries to call
with that selector?...im not sure what signal a process will get sent
when it when that happens (probably just a sigsegv or sigbus or
something), but if you really wanted to go all out you could even use do
some trickery at the point it got that signal to deturmine where in the
code the signal came from (checking info on that processes stack i
presume, i dont know enough about how uml works to presume to do that
part) and then check to see if its a call instruction with that tell
tale selector in it...if so then some voodoo could be done to then fake
the lcall syscall with a standard int 0x80 one...
dont know if that will work (or even if it made sense) but it was my
first thoughts upon seeing that slide show thing...
when i get some time to play ill see if i cant sanity check what i just
said and give it a shot...
--Abaddon