[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

WARNING! uap8xxx.ko is insecure [was: Re: functioning libertas_uap from source (still needs firmware blob)]

On 05/27/2010 12:57 AM, Daniel Kahn Gillmor wrote:
> To get to act as an AP, i had to copy /usr/bin/uaputl from another
> guruplug.  It seems to work fine.  If no one has gotten the code from
> marvell, i'll look into replacing uaputl -- it doesn't look too complex.

WARNING!  testing uaputl tonight, i realized that i could run it as a
completely non-privileged user, and it would have full control over the
wireless device.  my non-priv user can not only to read the security
keys, etc, but to do things like start and stop the broadcast beacon,
change the ssid, etc.

This suggests the complete lack of a security model in the libertas_uap
module supplied by marvell, uap8xxx.ko.  I have not yet reviewed what
other internal kernel operations might be accessible from the ioctl
interface exported by uap8xxx.ko.

Please be aware that using this kernel module on a sensitive system
means at least that local non-privileged users will be able to modify
wireless settings, and possibly do other things that only root should
probably be able to do.

I'd appreciate verification of this from someone who is still running
the factory-installed kernel, by the way.

The libertas_uap code needs a security audit by someone with kernel
module development skills.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: