Just forwarding....
---------- Forwarded message ----------
From: SHELLCODE Security Research <[email protected]>
Date: Oct 3, 2006 4:13 PM
Subject: Registration Weakness in Linux Kernel's Binary formats
To: undisclosed-recipients
Hello,
The present document aims to demonstrate a design weakness found in the
handling of simply
linked lists used to register binary formats handled by
Linux kernel, and affects all the kernel families
(2.0/2.2/2.4/2.6), allowing the insertion of infection modules in
kernel? space that can be used by malicious users to create infection
tools, for example rootkits.
POC, details and proposed solution at:
English version: http://www.shellcode.com.ar/docz/binfmt-en.pdf
Spanish version: http://www.shellcode.com.ar/docz/binfmt-es.pdf
regards,
--
SHELLCODE Security Research TEAM
[email protected]
http://www.shellcode.com.ar
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I can't say if the vulnerability is real,
but I do know pdfs are _unsafe_ those days...
Regards,
endrazine-
Br?ulio Oliveira wrote:
> Just forwarding....
>
> ---------- Forwarded message ---------- From: SHELLCODE Security
> Research <[email protected]> Date: Oct 3, 2006 4:13 PM
> Subject: Registration Weakness in Linux Kernel's Binary formats To:
> undisclosed-recipients
>
>
> Hello, The present document aims to demonstrate a design weakness
> found in the handling of simply linked lists used to
> register binary formats handled by Linux kernel, and
> affects all the kernel families (2.0/2.2/2.4/2.6), allowing
> the insertion of infection modules in kernel? space that can be
> used by malicious users to create infection tools, for example
> rootkits.
>
> POC, details and proposed solution at: English version:
> http://www.shellcode.com.ar/docz/binfmt-en.pdf Spanish version:
> http://www.shellcode.com.ar/docz/binfmt-es.pdf
>
> regards, -- SHELLCODE Security Research TEAM
> [email protected] http://www.shellcode.com.ar
>
>
> - To unsubscribe from this list: send the line "unsubscribe
> linux-kernel" in the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/ - To unsubscribe
> from this list: send the line "unsubscribe linux-kernel" in the
> body of a message to [email protected] More majordomo info
> at http://vger.kernel.org/majordomo-info.html Please read the FAQ
> at http://www.tux.org/lkml/
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFItvszX6JtL3KgRURAq6xAJ4pXYuqjAwxOY8H+/yU5WhRmBDVVgCgnwNr
JusXDby1dLMzAR/t4/mKf1c=
=3tmT
-----END PGP SIGNATURE-----
On Oct 03, 2006, at 17:25:07, Br?ulio Oliveira wrote:
> Just forwarding....
Well, you could have checked the list archives first to make sure the
idiot didn't send it here himself. Secondly if you're going to
forward something like this best send it to [email protected] first.
Of course, it's partially the abovementioned idiot's fault for BCCing
a mailing list and several others:
> To: undisclosed-recipients
> Hello,
> The present document aims to demonstrate a design weakness found in
> the
> handling of simply linked lists used to register binary
> formats handled by Linux kernel, and affects all
> the kernel families (2.0/2.2/2.4/2.6), allowing the insertion of
> infection modules in kernel space that can be used by malicious
> users to create infection tools, for example rootkits.
Would be nice if I could get to your paper to actually read it, but
as it returns a 404 error I'm going to make one brief statement:
If you can load another binary format or access the "simply linked
lists" of the binfmt chain in any way, then you're root and therefore
there are easier ways to own the box than patching the kernel.
Cheers,
Kyle Moffett