[1629] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: kerneld and module security

daemon@ATHENA.MIT.EDU (Patrick Cantwell)
Mon Sep 29 19:29:56 1997

Date: Mon, 29 Sep 1997 15:05:20 -0400 (EDT)
From: Patrick Cantwell <seamus@insomnia.org>
To: Aleph One <aleph1@DFW.NET>
Cc: BUGTRAQ@NETSPACE.ORG, linux-security@redhat.com
In-Reply-To: <Pine.SUN.3.94.970928234436.12849B-100000@dfw.dfw.net>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

On Sun, 28 Sep 1997, Aleph One wrote:

(forwarded from linux-security@redhat.com)

<snip>

> Corollary:  Any module in /lib/modules can be loaded into kernel memory by
> any user at any time.  There are potential denial-of-service attacks
> from autoprobes and device initialization all kinds of other goo that
> I wish I didn't have to think about here.

see Brian Mitchell's "hacked_setuid" module, that was released in phrack
50, article 5 (along with his linspy terminal snooper program)..
what this module does is redirect the setuid() call so you can become
superuser using a magic number.
just think, if you could load this module at will without being root, all
you'd need to do is whip up some code that does setuid(magic_number) and
spawns a shell! 

> Here are four alternative fixes:

#5 make /usr/lib/modules root read/write only

TheFloyd

--
----------------------------------------------------------------------
Please refere to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post