Date: Sat, 8 Sep 2001 20:41:53 -0400 From: "Deepak Jain" <deepak@ai.net> To: "Kris Kennaway" <kris@obsecurity.org>, "D J Hawkey Jr" <hawkeyd@visi.com> Cc: "Alexander Langer" <alex@big.endian.de>, <freebsd-security@FreeBSD.ORG> Subject: RE: Kernel-loadable Root Kits Message-ID: <GPEOJKGHAMKFIOMAGMDIIEIPFHAA.deepak@ai.net> In-Reply-To: <20010908153700.B72780@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Presumably, a user in userland has root to be loading a kernel module in the first place. This user could easily edit the rc.conf file to boot up in securelevel=-1 and reboot the machine -- as well as circumvent most notifications about the reboot. Hell, if I wanted to compromise a box, screwing the kernel directly is the way to go. Especially for remotely administered boxes, there is almost no downside. Deepak Jain AiNET -----Original Message----- From: Kris Kennaway [mailto:kris@obsecurity.org] Sent: Saturday, September 08, 2001 6:37 PM To: D J Hawkey Jr Cc: Alexander Langer; deepak@ai.net; freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits On Sat, Sep 08, 2001 at 10:28:16AM -0500, D J Hawkey Jr wrote: > Q: Can the kernel be "forced" to load a module from within itself? That > is, does a cracker need to be in userland? If you're at securelevel 1 or higher, you shouldn't be able to cause untrusted code to be loaded by the kernel by "legal" means, only by "illegal" means such as exploiting kernel buffer overflows and other bugs which may exist. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?GPEOJKGHAMKFIOMAGMDIIEIPFHAA.deepak>