Date: Wed, 5 Nov 1997 19:47:03 -0500 (EST) From: Chuck Robey <chuckr@glue.umd.edu> To: Matthew Thyer <Matthew.Thyer@dsto.defence.gov.au> Cc: freebsd-current@FreeBSD.ORG Subject: Re: [Fwd: Malicious Linux modules - be worried !] Message-ID: <Pine.BSF.3.96.971105193910.3678J-100000@localhost> In-Reply-To: <34611335.8601A3B@dsto.defence.gov.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 6 Nov 1997, Matthew Thyer wrote: > I assume FreeBSD LKMs could do this kind of thing too. [mail header stuff elided] > > As halflife demonstrated in Phrack 50 with his linspy project, it is trivial > > to patch any system call under Linux from within a module. This means that > > once your system has been compromised at the root level, it is possible for > > an intruder to hide completely _without_ modifying any binaries or leaving > > any visible backdoors behind. Because such tools are likely to be in use > > within the hacker community already, I decided to publish a piece of code to > > demonstrate the potentials of a malicious module. I guess this'd be possible? It seems a kinda trivial thing, to be able to get a kernel to be able to recognize valid LKMs. I may not see all the problems with this, because I always compile my own kernel/LKMs, but it seems pretty simple, and low cost, to embed something akin to md5 checksums. I don't always tend to be the most paranoid person around, so it seems a lot of trouble, tho, because if someone's got root privs already, this is just one of many possible things to kill. Why go to this kind of trouble, when there are easier ways. As far as that goes, I could easily md5 check my LKMs right now, and put a cron job up to check them as often as I please, right? No way around that at all. It seems to be to be far more important to protect against the initial attack, than to go crazy trying to figure out how many ways someone who already has root privs can hurt you. ----------------------------+----------------------------------------------- Chuck Robey | Interests include any kind of voice or data chuckr@glue.umd.edu | communications topic, C programming, and Unix. 213 Lakeside Drive Apt T-1 | Greenbelt, MD 20770 | I run Journey2 and picnic, both FreeBSD (301) 220-2114 | version 3.0 current -- and great FUN! ----------------------------+-----------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971105193910.3678J-100000>