Executing Code From Non-executable Files
We're all told about the hazards of running untrusted executables. If a
friend sends you the latest greatest program, can you be sure that it
was him as opposed to someone forging the email address? Or perhaps it's
a virus/worm. Or perhaps your friend is just malicious and wants you to
run a program that has 'rm -rf /' in it.
What some may not realize is that some non-executable file formats have
the potential to run malicious code. A few weeks ago I challenged folks
to create a file that, when viewed with a standard tool, would be able
to perform system actions. In this case, the payload should take the
file 'modifyme' and delete the first four bytes. In real life, you'd
expect something more interesting, such as binding a network-accessible
shell, or creating a suid binary.
The first one we'll look at is a man page. Man pages are usually stored
in directories such as /usr/man/ or /usr/share/man in a macro language
that is readable by troff. For example, on my system, the source to the
p0f man page looks like this:
.TH P0F 1
.\" NAME should be all caps, SECTION should be 1-8, maybe w/
subsection
.\" other parms are allowed: see man(7), man(1)
.SH NAME
p0f \- identify remote systems passively
.SH SYNOPSIS
.B p0f
.I "[ -f file ] [ -i device ] [ -o file ] [ -s file ] [ -vKUtq ] [
'filter rule' ]"
.br
.SH "DESCRIPTION"
This manual page briefly documents the
.BR p0f
command.
...
It is stored in /usr/share/man/man1/p0f.1 so when you type 'man p0f', it
runs this file through various parsing programs and, in the end, shows
you a readable version like this:
P0F(1) P0F(1)
NAME
p0f - identify remote systems passively
SYNOPSIS
p0f [ -f file ] [ -i device ] [ -o file ] [ -s file ] [
-vKUtq ] [ 'filter rule' ]
DESCRIPTION
This manual page briefly documents the p0f command.
...
One of the parsers invoked by man is troff. All those lines beginning
with '.' are troff macros, which are used to specify indentation,
boldness, and such. It's an ancient language, created eons before HTML.
In addition to the formatting options, there are a couple macro requests
that allow you
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
VMware ESX Server in the Enterprise
By Edward L. Haletky
Published Dec 29, 2007 by Prentice Hall.
Enter now! | Official rules | Sample chapter
Green IT
By Toby Velte, Anthony Velte, Robert C. Elsenpeter
To be published Oct. 10, 2008 by McGraw Hill Professional
Enter now! | Official rules | About the book
