From owner-freebsd-security Sat Sep 8 7:48: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from r220-1.rz.RWTH-Aachen.DE (r220-1.rz.RWTH-Aachen.DE [134.130.3.31]) by hub.freebsd.org (Postfix) with ESMTP id 66DE937B401 for ; Sat, 8 Sep 2001 07:47:56 -0700 (PDT) Received: from r220-1.rz.RWTH-Aachen.DE (relay2.RWTH-Aachen.DE [134.130.3.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3-2) with ESMTP id f88Eluc15428; Sat, 8 Sep 2001 16:47:56 +0200 (MEST) Received: from kawoserv.kawo2.rwth-aachen.de (root@kawoserv.kawo2.RWTH-Aachen.DE [134.130.180.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3/5) with ESMTP id f88Eltu15424; Sat, 8 Sep 2001 16:47:56 +0200 (MEST) Received: from fump.kawo2.rwth-aachen.de (root@fump.kawo2.rwth-aachen.de [134.130.181.148]) by kawoserv.kawo2.rwth-aachen.de (8.9.3/8.9.3) with ESMTP id QAA20281; Sat, 8 Sep 2001 16:47:54 +0200 Received: (from alex@localhost) by fump.kawo2.rwth-aachen.de (8.11.3/8.11.3) id f88Em1F54163; Sat, 8 Sep 2001 16:48:02 +0200 (CEST) (envelope-from alex) Date: Sat, 8 Sep 2001 16:48:00 +0200 From: Alexander Langer To: Krzysztof Zaraska Cc: D J Hawkey Jr , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908164800.A54141@fump.kawo2.rwth-aachen.de> References: <200109081052.f88AqRG30016@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kzaraska@student.uci.agh.edu.pl on Sat, Sep 08, 2001 at 04:24:23PM +0200 X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8 A8 E3 BA F3 4E 60 7D 7F X-PGP-at: finger alex@big.endian.de X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Krzysztof Zaraska (kzaraska@student.uci.agh.edu.pl): > # kldload trojan.ko && rm /modules/trojan.ko No need to rm it. You can manipulate the ufs vnode layer to hide this file. See http://www.r4k.net/mod/ > So the only alert you may get from tripwire is that ctime of /modules is > changed. see above. > I thing the original question was: how to find a trojaned module in > memory if there's no relevant binary on disk? Write a module that checksums the relevant parts of kernel, the linker_file list and similar in-kernel stuff (e.g. accesses to all functions that are needed to load the trojan module). Be sure to hide this module as well. If an attacker isn't aware of such a module, he won't try to circumvent it. If he's aware, it's still hard to find and circumvent it, before his trojan module got loaded. It's even harder if he doesn't know what internal functions and data structures your module uses, so be sure to write your own :) > We may also consider adding a feature to kldload to load only modules > from under /modules but I'm afraid this may be circumvented by attacker > fetching her own kldload. You can still use /dev/mem. Oh, and if you are able to load a module in securelevel >= 1 mode, you are probably also able to tell kldload to load from other pathes :) Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message