Date: Sat, 8 Sep 2001 17:54:50 -0500 From: D J Hawkey Jr <hawkeyd@visi.com> To: Kris Kennaway <kris@obsecurity.org> Cc: Alexander Langer <alex@big.endian.de>, deepak@ai.net, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits Message-ID: <20010908175450.A79709@sheol.localdomain> In-Reply-To: <20010908153700.B72780@xor.obsecurity.org>; from kris@obsecurity.org on Sat, Sep 08, 2001 at 03:37:00PM -0700 References: <GPEOJKGHAMKFIOMAGMDIGEHGFHAA.deepak_ai.net@ns.sol.net> <200109081052.f88AqRG30016@sheol.localdomain> <20010908141700.A53738@fump.kawo2.rwth-aachen.de> <20010908072542.A57605@sheol.localdomain> <20010908143231.A53801@fump.kawo2.rwth-aachen.de> <20010908074445.A77252@sheol.localdomain> <20010908181537.A840@ringworld.oblivion.bg> <20010908102816.B77764@sheol.localdomain> <20010908153700.B72780@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sep 08, at 03:37 PM, Kris Kennaway wrote: > > On Sat, Sep 08, 2001 at 10:28:16AM -0500, D J Hawkey Jr wrote: > > > Q: Can the kernel be "forced" to load a module from within itself? That > > is, does a cracker need to be in userland? > > If you're at securelevel 1 or higher, you shouldn't be able to cause > untrusted code to be loaded by the kernel by "legal" means, only by > "illegal" means such as exploiting kernel buffer overflows and other > bugs which may exist. Peter described the function calls to pull it off; I'm not knowledgable enough to argue the accuracy/simplicity/complexity of what he wrote. Except (an after-thought here), that the cracker would have to be pretty darned knowledgable about FreeBSD, after IDing the targetted system as FreeBSD (and perhaps even what release/patchlevel), to have or build such a backdoor, no? I believe it's the "illegal means" that are the concerns of this thread. > Kris Feel free to join in, you seem to be a jack-of-all-trades in these groups! Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010908175450.A79709>