[13282] in bugtraq
Re: Announcement: Solaris loadable kernel module backdoor
daemon@ATHENA.MIT.EDU (der Mouse)
Fri Jan 7 15:26:11 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <200001061620.LAA16952@Twig.Rodents.Montreal.QC.CA>
Date: Thu, 6 Jan 2000 11:20:46 -0500
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> [...] the numerous other ways root can subvert the running kernel ---
> or, equivalently, all running processes (e.g. with ptrace).
Subverting the kernel is not equivalent to subverting any/all running
processes; the former is significantly stronger than the latter. As a
simple example, if you have hardware on your system that the kernel
ignores[%], subverting all running processes still won't allow you to
access it, but subverting the kernel potentially will.
[%] For whatever reason - perhaps because it doesn't understand it, or
perhaps because support is configured out.
In some cases, of course, subverting certain processes may allow you to
subvert the kernel, if the kernel trusts one of those processes
sufficiently highly (eg, allows it to load arbitrary LKMs). That
doesn't make them equivalent, except perhaps in the case of that setup.
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
