Re: Kernel-loadable Root Kits

From: Kris Kennaway (kris@obsecurity.org)
Date: 09/09/01


Date: Sat, 8 Sep 2001 16:03:13 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: D J Hawkey Jr <hawkeyd@visi.com>


On Sat, Sep 08, 2001 at 05:54:50PM -0500, D J Hawkey Jr wrote:
> On Sep 08, at 03:37 PM, Kris Kennaway wrote:
> >
> > On Sat, Sep 08, 2001 at 10:28:16AM -0500, D J Hawkey Jr wrote:
> >
> > > Q: Can the kernel be "forced" to load a module from within itself? That
> > > is, does a cracker need to be in userland?
> >
> > If you're at securelevel 1 or higher, you shouldn't be able to cause
> > untrusted code to be loaded by the kernel by "legal" means, only by
> > "illegal" means such as exploiting kernel buffer overflows and other
> > bugs which may exist.
>
> Peter described the function calls to pull it off; I'm not knowledgable
> enough to argue the accuracy/simplicity/complexity of what he wrote.

No, the kldload(2) syscall itself is denied at securelevel >=1.

> Except (an after-thought here), that the cracker would have to be
> pretty darned knowledgable about FreeBSD, after IDing the targetted
> system as FreeBSD (and perhaps even what release/patchlevel), to have
> or build such a backdoor, no?

Well, only one person needs to be knowledgeable. Then they package up
their knowledge into a script and all the kiddies in the world can use
it.

> I believe it's the "illegal means" that are the concerns of this thread.

No, they're bugs in FreeBSD, and are fixed as soon as they're pointed
out to us, and should never again recur.

Kris



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Relevant Pages

  • Re: Entropy Blocking
    ... On 8/9/05, Kris Kennaway wrote: ... I'm all about security, believe me. ... Which version of FreeBSD are you using? ... > use that seed file at startup instead of just dying and leaving me with a ...
    (freebsd-questions)
  • Re: quota deadlock on 6.1-RC1
    ... +> Kris Kennaway wrote: ... Some of those bugs are maybe quite easy to fix, ... The point here is that FreeBSD is as good as their developers are ...
    (freebsd-stable)
  • Re: Lack of evidence for new SSH vulnerability
    ... At 07:45 PM 11/29/2001, Kris Kennaway wrote: ... >Your email described how you upgraded to the latest version of OpenSSH ... >because you weren't sure whether the version currently in FreeBSD was ... Perhaps my upgrades to ...
    (FreeBSD-Security)
  • Re: Kernel-loadable Root Kits
    ... On Sep 08, at 03:37 PM, Kris Kennaway wrote: ... > "illegal" means such as exploiting kernel buffer overflows and other ... that the cracker would have to be ... system as FreeBSD, ...
    (FreeBSD-Security)
  • Re: is FreeBSD 5.3 and MySQL still rough?
    ... Stefan Fischer wrote: ... > Kris Kennaway wrote: ... in performance between Linux and FreeBSD in this context, ... exercising thread creations and mallocing memory show considerable ...
    (comp.unix.bsd.freebsd.misc)