From owner-freebsd-security Sat Sep 8 16: 3:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id 0581837B40A for ; Sat, 8 Sep 2001 16:03:14 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 7003866D0A; Sat, 8 Sep 2001 16:03:13 -0700 (PDT) Date: Sat, 8 Sep 2001 16:03:13 -0700 From: Kris Kennaway To: D J Hawkey Jr Cc: Kris Kennaway , Alexander Langer , deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908160313.A74275@xor.obsecurity.org> References: <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908153700.B72780@xor.obsecurity.org> <20010908175450.A79709@sheol.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010908175450.A79709@sheol.localdomain>; from hawkeyd@visi.com on Sat, Sep 08, 2001 at 05:54:50PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 05:54:50PM -0500, D J Hawkey Jr wrote: > On Sep 08, at 03:37 PM, Kris Kennaway wrote: > >=20 > > On Sat, Sep 08, 2001 at 10:28:16AM -0500, D J Hawkey Jr wrote: > >=20 > > > Q: Can the kernel be "forced" to load a module from within itself? Th= at > > > is, does a cracker need to be in userland? > >=20 > > If you're at securelevel 1 or higher, you shouldn't be able to cause > > untrusted code to be loaded by the kernel by "legal" means, only by > > "illegal" means such as exploiting kernel buffer overflows and other > > bugs which may exist. >=20 > Peter described the function calls to pull it off; I'm not knowledgable > enough to argue the accuracy/simplicity/complexity of what he wrote. No, the kldload(2) syscall itself is denied at securelevel >=3D1. > Except (an after-thought here), that the cracker would have to be > pretty darned knowledgable about FreeBSD, after IDing the targetted > system as FreeBSD (and perhaps even what release/patchlevel), to have > or build such a backdoor, no? Well, only one person needs to be knowledgeable. Then they package up their knowledge into a script and all the kiddies in the world can use it. > I believe it's the "illegal means" that are the concerns of this thread. No, they're bugs in FreeBSD, and are fixed as soon as they're pointed out to us, and should never again recur. Kris --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7mqOwWry0BWjoQKURAgXfAKCfFtdGgljZLm8F5YyurNVbINlJjACgoDFn VYhNh0eRSkU8iF4AG7Zpklk= =rBp7 -----END PGP SIGNATURE----- --DocE+STaALJfprDB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message