[1629] in linux-security and linux-alert archive
[linux-security] Re: kerneld and module security
daemon@ATHENA.MIT.EDU (Patrick Cantwell)
Mon Sep 29 19:29:56 1997
Date: Mon, 29 Sep 1997 15:05:20 -0400 (EDT)
From: Patrick Cantwell <seamus@insomnia.org>
To: Aleph One <aleph1@DFW.NET>
Cc: BUGTRAQ@NETSPACE.ORG, linux-security@redhat.com
In-Reply-To: <Pine.SUN.3.94.970928234436.12849B-100000@dfw.dfw.net>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
On Sun, 28 Sep 1997, Aleph One wrote:
(forwarded from linux-security@redhat.com)
<snip>
> Corollary: Any module in /lib/modules can be loaded into kernel memory by
> any user at any time. There are potential denial-of-service attacks
> from autoprobes and device initialization all kinds of other goo that
> I wish I didn't have to think about here.
see Brian Mitchell's "hacked_setuid" module, that was released in phrack
50, article 5 (along with his linspy terminal snooper program)..
what this module does is redirect the setuid() call so you can become
superuser using a magic number.
just think, if you could load this module at will without being root, all
you'd need to do is whip up some code that does setuid(magic_number) and
spawns a shell!
> Here are four alternative fixes:
#5 make /usr/lib/modules root read/write only
TheFloyd
--
----------------------------------------------------------------------
Please refere to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null