Date: Mon, 23 Jul 2001 15:20:11 +0100 From: Nick Barnes <Nick.Barnes@pobox.com> To: Jason Andresen <jandrese@mitre.org> Cc: Mike Hoskins <mike@adept.org>, Tom <tom@uniserve.com>, "Chad R. Larson" <chad@dcfinc.com>, admin@kremilek.gyrec.cz, freebsd-stable@FreeBSD.ORG Subject: Re: probably remote exploit Message-ID: <17702.995898011@thrush.ravenbrook.com> In-Reply-To: Message from Jason Andresen <jandrese@mitre.org> of "Mon, 23 Jul 2001 10:01:40 EDT." <3B5C2E44.2B7D7DF8@mitre.org>
next in thread | previous in thread | raw e-mail | index | archive | help
And you need to be sure that you really _are_ booting off the CD, not booting a hacked kernel from the hard disk which detects that you have a bootable CD in the drive and assumes that you're trying to boot off CD to clean up your system, so _pretends_ to be booting off the CD except when you come to run the checksum utility on the CD. Etc etc. And, of course, if it's a CD-RW, this evil kernel module could just virally infect it.... :-) Note that one might often want to config a machine so it won't boot from removable media (so that random idiots with access to the front panel can't boot some other OS from CD or floppy), so this scenario isn't _totally_ nuts (only, say, 99.98% nuts). A hassled sysadmin might well put in a CD and reboot without watching too closely, forgetting that the BIOS config will cause the CD to be disregarded. Nick Barnes At 2001-07-23 14:01:40+0000, Jason Andresen writes: > Mike Hoskins wrote: > > > > On Fri, 20 Jul 2001, Tom wrote: > > > > > But if a backdoor is installed, you can't trust cvsup, or make either. > > > Any binary could have been tampered with. For instance, I would make a > > > backdoor make that would detect that an installworld is underway, and > > > always make sure that a backdoored copy of of "login" and another copy of > > > "make". > > > > What? Everyone can't just do a quick check against the saved tripwire > > checksums on CD-R? ;) Seriously. While checksuming an entire system can > > be impractical, keeping checksums for a barebones set of administrative > > tools can be a lifesaver. > > You need to boot off of the CDROM first, otherwise you might have an > evil > kernel module loaded that can send bogus data to your checksummer when > it > reads from the disk. It's not quite as easy as just mounting the CD and > running the checksums. > > -- > \ |_ _|__ __|_ \ __| Jason Andresen jandrese@mitre.org > |\/ | | | / _| Network and Distributed Systems Engineer > _| _|___| _| _|_\___| Office: 703-883-7755 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17702.995898011>