[17640] in bugtraq
Re: More modutils: It's probably worse.
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Mon Nov 13 20:05:54 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0011132352550.31869-100000@dione.ids.pl>
Date: Tue, 14 Nov 2000 00:06:32 +0100
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: Chris Evans <chris@scary.beasts.org>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0011132040160.1699-100000@ferret.lmh.ox.ac.uk>
On Mon, 13 Nov 2000, Chris Evans wrote:
> modprobe -C, to specify a config file other than /etc/modules.conf,
> would be an interesting route to play with.
You are wrong - modprobe WON'T parse eg. argv[n]="-r blahblah" or
argv[n]="-rblahblah" - every switch that requires additional parameters
has to be split into two argv[] entries (argv[n]="-r",
argv[n+1]="blahblah"). It is not possible to split anything into two or
more separate argv entries using request_module() call - where
/sbin/modprobe is called with user-supplied module name as argv[3]. The
same applies to module parameter parsing (so 'mymodule someparam=xxx'
won't work as well), etc. And, finally, at least my modprobe from modutils
2.1.121, have no -C switch.
Another thing I don't get regarding all the feedback - request_module()
contains pretty strict checks, and couldn't be called without root
privledges or specific capabilities. And the only one location where it
seems to be called with user-supplied module name is the networking code.
Maybe I am missing something, but at least for me, modprobe
vulnerabilities are exploitable via privledged networking services,
nothing more.
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
