Re: Kernel-loadable Root Kits

From: Kris Kennaway (kris@obsecurity.org)
Date: 09/09/01


Date: Sat, 8 Sep 2001 16:03:13 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: D J Hawkey Jr <hawkeyd@visi.com>


On Sat, Sep 08, 2001 at 05:54:50PM -0500, D J Hawkey Jr wrote:
> On Sep 08, at 03:37 PM, Kris Kennaway wrote:
> >
> > On Sat, Sep 08, 2001 at 10:28:16AM -0500, D J Hawkey Jr wrote:
> >
> > > Q: Can the kernel be "forced" to load a module from within itself? That
> > > is, does a cracker need to be in userland?
> >
> > If you're at securelevel 1 or higher, you shouldn't be able to cause
> > untrusted code to be loaded by the kernel by "legal" means, only by
> > "illegal" means such as exploiting kernel buffer overflows and other
> > bugs which may exist.
>
> Peter described the function calls to pull it off; I'm not knowledgable
> enough to argue the accuracy/simplicity/complexity of what he wrote.

No, the kldload(2) syscall itself is denied at securelevel >=1.

> Except (an after-thought here), that the cracker would have to be
> pretty darned knowledgable about FreeBSD, after IDing the targetted
> system as FreeBSD (and perhaps even what release/patchlevel), to have
> or build such a backdoor, no?

Well, only one person needs to be knowledgeable. Then they package up
their knowledge into a script and all the kiddies in the world can use
it.

> I believe it's the "illegal means" that are the concerns of this thread.

No, they're bugs in FreeBSD, and are fixed as soon as they're pointed
out to us, and should never again recur.

Kris



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message