Date: Sat, 8 Sep 2001 18:37:28 +0300 From: Peter Pentchev <roam@ringlet.net> To: D J Hawkey Jr <hawkeyd@visi.com> Cc: Alexander Langer <alex@big.endian.de>, deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908183728.D840@ringworld.oblivion.bg> In-Reply-To: <20010908102816.B77764@sheol.localdomain>; from hawkeyd@visi.com on Sat, Sep 08, 2001 at 10:28:16AM -0500 References: <GPEOJKGHAMKFIOMAGMDIGEHGFHAA.deepak_ai.net@ns.sol.net> <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Sep 08, 2001 at 10:28:16AM -0500, D J Hawkey Jr wrote: > On Sep 08, at 06:15 PM, Peter Pentchev wrote: > > > > On Sat, Sep 08, 2001 at 07:44:45AM -0500, D J Hawkey Jr wrote: > > > On Sep 08, at 02:32 PM, Alexander Langer wrote: > > > > > > > > Thus spake D J Hawkey Jr (hawkeyd@visi.com): > > > > > > > > > > This still lets you load own kernel modules. > > > > > > > > > > Not if you blow away the /modules directory (note that I haven't tried > > > > > this). > > > > > > > > /me hands Dave a decent C compiler and some C h0h0magic. > > > > > > I didn't write "build the kernel without it". > > > > > > As I wrote, I hadn't tried it. I take it one cannot remove that tree, > > > even after seeing that the kernel doesn't need it? I'm meaning run-time > > > here, not build-time. > > > > I believe that what Alex meant is that you can simulate kldload(8)'s > > functionality in a little C program of your own. Even more than that, > > kldload(8) itself allows you to specify a full path to a module, > > not just a filename, so even if you blow away the /modules directory, > > J. Random Luser can still 'kldload /var/tmp/rkit.kld'. > > > > Yes, you can remove /modules; no, that does not gain you any safety. > > Kris addressed this, too, and yes, you're both right. > > Q: Can the kernel be "forced" to load a module from within itself? That > is, does a cracker need to be in userland? Yes, certainly; all kldload(8) does is invoke the kldload(2) syscall, nothing more, nothing userspace-magical. All a kernel routine needs to do is either invoke that syscall, or call the internal kernel functions that kldload(2) calls, like e.g. linker_find_file_by_name() and linker_load_file() in sys/kern/kern_linker.c G'luck, Peter -- This sentence would be seven words long if it were six words shorter. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010908183728.D840>