Date: Sun, 9 Sep 2001 11:07:32 +0300 (EEST) From: Giorgos Verigakis <verigak@algol.vtrip-ltd.com> To: Deepak Jain <deepak@ai.net> Cc: Kris Kennaway <kris@obsecurity.org>, D J Hawkey Jr <hawkeyd@visi.com>, Alexander Langer <alex@big.endian.de>, <freebsd-security@FreeBSD.ORG> Subject: RE: Kernel-loadable Root Kits Message-ID: <Pine.LNX.4.30.0109091103580.32595-100000@algol.vtrip-ltd.com> In-Reply-To: <GPEOJKGHAMKFIOMAGMDIIEIPFHAA.deepak@ai.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 8 Sep 2001, Deepak Jain wrote: > > Presumably, a user in userland has root to be loading a kernel module in the > first place. > > This user could easily edit the rc.conf file to boot up in securelevel=-1 > and reboot the machine -- as well as circumvent most notifications about the > reboot. Yes, but then you can chflag schg rc.conf rc ... (or maybe the whole /etc) > > Hell, if I wanted to compromise a box, screwing the kernel directly is the > way to go. Especially for remotely administered boxes, there is almost no > downside. > > Deepak Jain > AiNET > > > > -----Original Message----- > From: Kris Kennaway [mailto:kris@obsecurity.org] > Sent: Saturday, September 08, 2001 6:37 PM > To: D J Hawkey Jr > Cc: Alexander Langer; deepak@ai.net; freebsd-security@FreeBSD.ORG > Subject: Re: Kernel-loadable Root Kits > > > On Sat, Sep 08, 2001 at 10:28:16AM -0500, D J Hawkey Jr wrote: > > > Q: Can the kernel be "forced" to load a module from within itself? That > > is, does a cracker need to be in userland? > > If you're at securelevel 1 or higher, you shouldn't be able to cause > untrusted code to be loaded by the kernel by "legal" means, only by > "illegal" means such as exploiting kernel buffer overflows and other > bugs which may exist. > > Kris > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.30.0109091103580.32595-100000>