Bug#524373: linux-2.6: /dev/mem rootkit vulnerability
On Thu, 16 Apr 2009 12:43:07 -0400, Noah Meyerhans wrote:
> On Thu, Apr 16, 2009 at 11:55:05AM -0400, Michael S. Gilbert wrote:
> > as seen in recent articles and discussions, the linux kernel is
> > currently vulnerable to rootkit attacks via the /dev/mem device. one
> > article  mentions that there is an existing patch for the problem,
> > but does not link to it. perhaps this fix can be found in the kernel
> > mailing lists.
> There's no vulnerability there. /dev/mem is only writable by root.
> The research (if there's really any research involved) just shows how
> you could hide files or processes by manipulating /dev/mem. That's been
> known for ages. That's why you don't let your users write to /dev/mem.
> If the attacker has root, who cares what means they use to hide their
> precese, you've already lost.
i believe that the "if they've got root, you've already lost" consensus
is a logical fallacy.
an aspect of security is being able to detect when you have been
compromised. hence, it is a lot worse when the attacker is able to mask
their presence. at least when they only have root they leave tracks
and you can detect files, configs, and utilities that differ from the
norm or are out of place.
i think that any flaw that allows an attacker to elevate his pwnage from
root to hidden should always be considered a grave security issue.