From owner-freebsd-security  Sat Sep  8 17:40:46 2001
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54])
	by hub.freebsd.org (Postfix) with ESMTP id CBE0737B406
	for <freebsd-security@FreeBSD.ORG>; Sat,  8 Sep 2001 17:40:43 -0700 (PDT)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 3540066D0A; Sat,  8 Sep 2001 17:40:43 -0700 (PDT)
Date: Sat, 8 Sep 2001 17:40:42 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: Deepak Jain <deepak@ai.net>
Cc: Kris Kennaway <kris@obsecurity.org>,
	D J Hawkey Jr <hawkeyd@visi.com>,
	Alexander Langer <alex@big.endian.de>, freebsd-security@FreeBSD.ORG
Subject: Re: Kernel-loadable Root Kits
Message-ID: <20010908174042.A88337@xor.obsecurity.org>
References: <20010908153700.B72780@xor.obsecurity.org> <GPEOJKGHAMKFIOMAGMDIIEIPFHAA.deepak@ai.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <GPEOJKGHAMKFIOMAGMDIIEIPFHAA.deepak@ai.net>; from deepak@ai.net on Sat, Sep 08, 2001 at 08:41:53PM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Sep 08, 2001 at 08:41:53PM -0400, Deepak Jain wrote:
>=20
> Presumably, a user in userland has root to be loading a kernel module in =
the
> first place.
>=20
> This user could easily edit the rc.conf file to boot up in securelevel=3D=
-1
> and reboot the machine -- as well as circumvent most notifications about =
the
> reboot.
>=20
> Hell, if I wanted to compromise a box, screwing the kernel directly is the
> way to go. Especially for remotely administered boxes, there is almost no
> downside.

Yes, you're now getting into the reasons why securelevel isn't a very
robust security feature, which has been well-covered on this list in
the past.

Kris

--sdtB3X0nJg68CQEu
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7mrqKWry0BWjoQKURAvOAAJ0dWZ7iGKyDqvC/+EJuEHpFAJPw4QCguR5m
LLAsFLXZDMuDCmX8CEl6jbc=
=G/A+
-----END PGP SIGNATURE-----

--sdtB3X0nJg68CQEu--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message