Date: Fri, 30 Jul 1999 13:37:36 -0700 From: Mike Smith <mike@smith.net.au> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: "Brian F. Feldman" <green@FreeBSD.ORG>, "Jordan K. Hubbard" <jkh@zippy.cdrom.com>, hackers@FreeBSD.ORG Subject: Re: So, back on the topic of enabling bpf in GENERIC... Message-ID: <199907302037.NAA01060@dingo.cdrom.com> In-Reply-To: Your message of "Fri, 30 Jul 1999 13:37:17 PDT." <199907302037.NAA94153@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> : But even if you turn off the bpf device, you still have /dev/mem and > : /dev/kmem to worry about. For that matter, the intruder can still write > : raw devices. Also, there is another kernel feature called kldload(8). > > BTW, I wrote this section because a hacker actually installed the bpf > device via the module loader during one of the root compromises at BEST, > a year or two ago. He had gotten it from a hackers cookbook of exploits > which he convieniently left on-disk long enough for our daily backups to > catch it :-). This doesn't actually help the attacker much, since at that point in time the network drivers wouldn't have been calling the bpf tap points, so it might well have been loaded, but it wouldn't have been _doing_ anything useful. -- \\ The mind's the standard \\ Mike Smith \\ of the man. \\ msmith@freebsd.org \\ -- Joseph Merrick \\ msmith@cdrom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907302037.NAA01060>