xorl %eax, %eax

Bypassing Systrace on 64bit OS

leave a comment »

This vulnerability was found and reported by Chris Evans on 23 January 2009. It something really cool since nobody likes Niels Provos and of course his systrace thingie. I believe everyone is familiar with this tool. Systrace uses access policies on system calls to perform various security limitations. For more info check out the wikipedia page (of course it has :P) but please… have a look at the screenshot :P Hehe! I’m skipping the xsystrace window and reading the background conversation of Dug Song on #monkey talking about his trojaned dsniff. Haha! Read the topic! Anyway, so.. the problem is simple. Linux 64bit supports 64bit system call numbers since as you all know, system calls are of type long thus 64bit long values on LLP64 and LP64 but systrace does not support 64bit numbers for system calls. This way you can issue the system call No.: 0x0000000000000001 which is 1 in decimal, in 32bit this will be:

#define __NR_exit                 1

But on 64bit this would be:

#define __NR_write                               1
__SYSCALL(__NR_write, sys_write)

Anyway, this means that systrace was useless on 64bit OSs for some time ;p At last, yes, I know that this post was more trolling than information but I think it was fun and worth a post! :D

Written by xorl

January 28, 2009 at 14:40

Posted in fun, vulnerabilities

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s