[1645] in linux-security and linux-alert archive
[linux-security] Re: Malicious Linux modules
daemon@ATHENA.MIT.EDU (Runar Jensen)
Fri Oct 10 02:57:46 1997
From: Runar Jensen <zarq@1stnet.com>
To: "Peter W" <peterw@clark.net>,
"bugtraq@netspace.org" <bugtraq@netspace.org>,
"linux-security@redhat.com" <linux-security@redhat.com>
In-Reply-To: Your message of "Thu, 09 Oct 1997 07:42:27 +0500."
<199710091142.HAA29040@mail.clark.net>
Date: Thu, 09 Oct 1997 10:16:32 -0500
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
In message <199710091142.HAA29040@mail.clark.net>, "Peter W" writes:
>> The implications should be obvious. Once a compromise has taken place,
>> nothing can be trusted, the operating system included. A module such as
>> this could be placed in /lib/modules/<kernel_ver>/default to force it to be
>> loaded after every reboot, or put in place of a commonly used module and in
>> turn have it load the required module for an added level of protection.
> Either of these situations would be "caught" by a properly configured
> Tripwire. As long as Tripwire is watching /lib/modules (along with the usual
> *NIX areas) it should at least be detectable and fixable. It would be up to
> the admin to decide whether to shut down "cleanly" and risk some more
> malicious module damage (e.g. a "cleanup" routine when shutdown starts). Of
> course it sounds like you can't trust Tripwire now unless you boot from
> known good media (i.e. floppies) since the module could muck with its data.
> Yuck.
Once root access is gained, the module could very well be compiled and placed
anywhere on the drive (like a home directory), loaded, and _then_ moved to
/lib/modules. At that point the module will already be invisible to Tripwire.
(This, of course, assumes that the intruder is smart enough to first get in
and get root without setting off any alarms. :) I am not sure how Tripwire is
started after a reboot, but I do believe that the default modules will be
loaded before it does.
.../ru
-----
Runar Jensen | Phone (318) 289-0125 | Email zarq@1stnet.com
Network Administrator | or (800) 264-7440 | or zarq@opaque.org
Tech Operations Mgr | Fax (318) 235-1447 | Epage zarq@page.1stnet.com
FirstNet of Acadiana | Pager (318) 268-8533 | [message in subject]
--
----------------------------------------------------------------------
Please refere to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null