From owner-freebsd-security  Sat Sep  8 15:37: 5 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54])
	by hub.freebsd.org (Postfix) with ESMTP id 0A47137B405
	for <freebsd-security@FreeBSD.ORG>; Sat,  8 Sep 2001 15:37:01 -0700 (PDT)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 8478966D24; Sat,  8 Sep 2001 15:37:00 -0700 (PDT)
Date: Sat, 8 Sep 2001 15:37:00 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: D J Hawkey Jr <hawkeyd@visi.com>
Cc: Alexander Langer <alex@big.endian.de>, deepak@ai.net,
	freebsd-security@FreeBSD.ORG
Subject: Re: Kernel-loadable Root Kits
Message-ID: <20010908153700.B72780@xor.obsecurity.org>
References: <GPEOJKGHAMKFIOMAGMDIGEHGFHAA.deepak_ai.net@ns.sol.net> <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="eJnRUKwClWJh1Khz"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010908102816.B77764@sheol.localdomain>; from hawkeyd@visi.com on Sat, Sep 08, 2001 at 10:28:16AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--eJnRUKwClWJh1Khz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sat, Sep 08, 2001 at 10:28:16AM -0500, D J Hawkey Jr wrote:

> Q: Can the kernel be "forced" to load a module from within itself? That
> is, does a cracker need to be in userland?

If you're at securelevel 1 or higher, you shouldn't be able to cause
untrusted code to be loaded by the kernel by "legal" means, only by
"illegal" means such as exploiting kernel buffer overflows and other
bugs which may exist.

Kris

--eJnRUKwClWJh1Khz
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7mp2LWry0BWjoQKURAonAAJ0XaUYb1qqfsHPioAE5jSG7htK5pwCfTRAD
45qWXe1+IdkXjTnB/Bn6rY0=
=wQ9n
-----END PGP SIGNATURE-----

--eJnRUKwClWJh1Khz--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message