It may be appropriate to skip this slide in the presentation due to size limitations, screen display, and audience familiarity with subject.


This is the slide introduced earlier, we can now talk about it. (The conversation must come from the presenter as space in the PowerPoint comments do not allow for a full discussion.)


It is a decent presentation of the following concepts (and carries some ÒappealÓ because of the subject matter and sensational slide title):

• Thread local variables

• Copying data from the remote application space

• Prototyping system calls

• The difference between the entry and exit probes for the syscall provider


This is dumped onto two ÒscreensÓ to show all the code. This is about as efficient as this can be displayed without removing or reformatting code to save space.


What this code does: It looks for reads/writes on a process called ÒpasswdÓ and dumps the results to a file or stdout with some relevant formatting.


A sample run looks like this:


--------

Changing password for "wfavorit"

myoldpass

mynewpass

mynewpass

--------

Changing password for "wfavorit"

userpass

userpass

--------

^C


The first is when run by the user, the second is by root. (Fake PWs were entered, otherwise this is a cut-n-paste from a real session.)


Some notes about the code:


• The passwd binary is suid and owned by root (instead of RBAC) so we cannot use the __uid or __euid values to determine who the target user is. Neither can we pull command line info. But we know that passwd writes a string that begins with ÒChangingÓ that includes the target users name.

• We cheat in a few places because we know that file descriptor 5 is used to read user input and that the reads for that information is always of size = 1. The ÒcheatÓ here is that I used ProbeVue to find the file descriptor and then I filtered on it specifically. The approach of using a single tool to work to a specific end is central to the power of this environment.

• This is more about making a point about Vue features and capabilities, than real value. The primary reason (that is is of limited value/threat) is that it can be only run by a super user who really does not care about passwords (as a means to personally exploit the system).