From owner-freebsd-security Sat Sep 8 15:54:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id 8645137B403 for ; Sat, 8 Sep 2001 15:54:52 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id 958942DDC04; Sat, 8 Sep 2001 17:54:51 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.1/8.11.1) id f88Mso679783; Sat, 8 Sep 2001 17:54:50 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 8 Sep 2001 17:54:50 -0500 From: D J Hawkey Jr To: Kris Kennaway Cc: Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908175450.A79709@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908153700.B72780@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908153700.B72780@xor.obsecurity.org>; from kris@obsecurity.org on Sat, Sep 08, 2001 at 03:37:00PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sep 08, at 03:37 PM, Kris Kennaway wrote: > > On Sat, Sep 08, 2001 at 10:28:16AM -0500, D J Hawkey Jr wrote: > > > Q: Can the kernel be "forced" to load a module from within itself? That > > is, does a cracker need to be in userland? > > If you're at securelevel 1 or higher, you shouldn't be able to cause > untrusted code to be loaded by the kernel by "legal" means, only by > "illegal" means such as exploiting kernel buffer overflows and other > bugs which may exist. Peter described the function calls to pull it off; I'm not knowledgable enough to argue the accuracy/simplicity/complexity of what he wrote. Except (an after-thought here), that the cracker would have to be pretty darned knowledgable about FreeBSD, after IDing the targetted system as FreeBSD (and perhaps even what release/patchlevel), to have or build such a backdoor, no? I believe it's the "illegal means" that are the concerns of this thread. > Kris Feel free to join in, you seem to be a jack-of-all-trades in these groups! Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message