Date: Mon, 12 Jul 1999 20:33:43 +0100 (BST) From: Doug Rabson <dfr@nlsystems.com> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: Mark Newton <newton@atdot.dotat.org>, Mike Tancsa <mike@sentex.net>, security@freebsd.org, stable@freebsd.org Subject: Re: 3.x backdoor rootshell security hole Message-ID: <Pine.BSF.4.10.9907122031140.58023-100000@salmon.nlsystems.com> In-Reply-To: <Pine.BSF.3.96.990712100409.9906A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 12 Jul 1999, Robert Watson wrote: > On Mon, 12 Jul 1999, Mark Newton wrote: > > > Mike Tancsa wrote: > > > > > Has anyone looked at the articled below ? Here is a quote, > > > "The following module was a nice idea I had when playing around with the > > > proc structure. Load this module, and you can 'SU' without a password. > > > > If you have enough privileges to load a module, you have enough > > privileges to su without a password already (by creating an suid > > shell, for example) > > In fact, if you have permission to modify the running kernel, you may have > more privilege than that of a root process, with securelevels.. :-) What > the THC posting is really about it hiding compromises on a machine that > has been compromised, and leaving backdoors. The title, "Attacking > FreeBSD..." is a little misleading, it's more about "Trojaning FreeBSD > Once You Already Have Absolute Control of a Machine". And these aren't > even very persistent: they have to be reloaded after each boot, meaning > changes to configuration files, etc, etc. Also if a site is running using securelevel, even root can't load files into the running kernel. The attacker would have to arrange to load the code during startup and reboot the box (a noticable event surely). Hmm. Shouldn't we protect the contents of /boot with the schg flag? -- Doug Rabson Mail: dfr@nlsystems.com Nonlinear Systems Ltd. Phone: +44 181 442 9037 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9907122031140.58023-100000>