[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: down to the core



On 29 Jul 2004, Arnt Karlsen wrote:
> On Wed, 28 Jul 2004 09:28:55 -0700 (PDT), Mike wrote in message 
> <20040728162855.21881.qmail@web11904.mail.yahoo.com>:
>
>>
>> --- Arnt Karlsen <arnt@c2i.net> wrote:
>>
>>> On Wed, 28 Jul 2004 13:10:46 +1000, Daniel wrote in message 
>>> <87pt6gomh5.fsf@enki.rimspace.net>:
>>>
>>>> One thing which will *not* enhance security, but is often claimed
>>>> to do so, is disabling kernel modules.  Even if you don't use
>>>> them, an attacker with root privileges can still insert code into
>>>> the running kernel successfully, with the same result as loading a
>>>> kernel module.
>>>
>>> ..this would requires the presence of the loadable module, 
>>> or _could_ the attacker provide it?
>>>
>> You need root todo module loading.  With root you can also change
>> kernel memory, so yes you could force a module to load.  It would be
>> simpler just to add the missing code you need to the running kernel
>> and then link it in.  None the less if you have root access the only
>> reason you might need to load any kernel side code is for DMA or
>> handeling HW interupts.  Since it's unlikely that an attacker would
>> need or even care to do these things the point is moot.  Bottome line
>> is if an attacker gets root it's ALL over, they can install any
>> software thay might need.
>
> ..so basically, this boils down to whether or not it is 
> possible to grab root with some kinda netcat stunt.

It boils down to this:

1. Linking a kernel module can be done in userspace.
2. Root can write to kernel memory.

Thus, root can install a kernel module without the kernel module loader,
if that is desired.

Not as easy, of course, but still possible.

    daniel

-- 
I used to be the first kid on the block wanting a cranial implant,
now I want to be the first with a cranial firewall.
        -- Charlie Stross



Reply to: