From owner-freebsd-security  Sun Sep  9  1:10:27 2001
Delivered-To: freebsd-security@freebsd.org
Received: from algol.vtrip-ltd.com (algol.vtrip-ltd.com [139.91.200.19])
	by hub.freebsd.org (Postfix) with ESMTP id EA0E237B403
	for <freebsd-security@freebsd.org>; Sun,  9 Sep 2001 01:10:21 -0700 (PDT)
Received: from verigak (helo=localhost)
	by algol.vtrip-ltd.com with local-esmtp (Exim 3.12 #1 (Debian))
	id 15fzcq-0008V3-00; Sun, 09 Sep 2001 11:07:32 +0300
Date: Sun, 9 Sep 2001 11:07:32 +0300 (EEST)
From: Giorgos Verigakis <verigak@algol.vtrip-ltd.com>
To: Deepak Jain <deepak@ai.net>
Cc: Kris Kennaway <kris@obsecurity.org>,
	D J Hawkey Jr <hawkeyd@visi.com>,
	Alexander Langer <alex@big.endian.de>, <freebsd-security@FreeBSD.ORG>
Subject: RE: Kernel-loadable Root Kits
In-Reply-To: <GPEOJKGHAMKFIOMAGMDIIEIPFHAA.deepak@ai.net>
Message-ID: <Pine.LNX.4.30.0109091103580.32595-100000@algol.vtrip-ltd.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org



On Sat, 8 Sep 2001, Deepak Jain wrote:

>
> Presumably, a user in userland has root to be loading a kernel module in the
> first place.
>
> This user could easily edit the rc.conf file to boot up in securelevel=-1
> and reboot the machine -- as well as circumvent most notifications about the
> reboot.

Yes, but then you can chflag schg rc.conf rc ... (or maybe the whole /etc)


>
> Hell, if I wanted to compromise a box, screwing the kernel directly is the
> way to go. Especially for remotely administered boxes, there is almost no
> downside.
>
> Deepak Jain
> AiNET
>
>
>
> -----Original Message-----
> From: Kris Kennaway [mailto:kris@obsecurity.org]
> Sent: Saturday, September 08, 2001 6:37 PM
> To: D J Hawkey Jr
> Cc: Alexander Langer; deepak@ai.net; freebsd-security@FreeBSD.ORG
> Subject: Re: Kernel-loadable Root Kits
>
>
> On Sat, Sep 08, 2001 at 10:28:16AM -0500, D J Hawkey Jr wrote:
>
> > Q: Can the kernel be "forced" to load a module from within itself? That
> > is, does a cracker need to be in userland?
>
> If you're at securelevel 1 or higher, you shouldn't be able to cause
> untrusted code to be loaded by the kernel by "legal" means, only by
> "illegal" means such as exploiting kernel buffer overflows and other
> bugs which may exist.
>
> Kris
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message