2006-10-03 22:00:34

by Stephen Hemminger

[permalink] [raw]
Subject: Re: Registration Weakness in Linux Kernel's Binary formats

On Tue, 3 Oct 2006 17:53:30 -0400
Kyle Moffett <[email protected]> wrote:

> On Oct 03, 2006, at 17:25:07, Bráulio Oliveira wrote:
> > Just forwarding....
>
> Well, you could have checked the list archives first to make sure the
> idiot didn't send it here himself. Secondly if you're going to
> forward something like this best send it to [email protected] first.
>
> Of course, it's partially the abovementioned idiot's fault for BCCing
> a mailing list and several others:
> > To: undisclosed-recipients
>
> > Hello,
> > The present document aims to demonstrate a design weakness found in
> > the
> > handling of simply linked lists used to register binary
> > formats handled by Linux kernel, and affects all
> > the kernel families (2.0/2.2/2.4/2.6), allowing the insertion of
> > infection modules in kernel space that can be used by malicious
> > users to create infection tools, for example rootkits.
>
> Would be nice if I could get to your paper to actually read it, but
> as it returns a 404 error I'm going to make one brief statement:
>
> If you can load another binary format or access the "simply linked
> lists" of the binfmt chain in any way, then you're root and therefore
> there are easier ways to own the box than patching the kernel.
>
> Cheers,
> Kyle Moffett

I looked at it, basically his argument which is all flowered up in pretty
pictures and security vulnerability language is:

If root loads a buggy module then the module can be used to compromise
the system.

Well isn't that surprising.

--
Stephen Hemminger <[email protected]>


2006-10-03 22:28:38

by Valdis Klētnieks

[permalink] [raw]
Subject: Re: Registration Weakness in Linux Kernel's Binary formats

On Tue, 03 Oct 2006 14:59:54 PDT, Stephen Hemminger said:

> I looked at it, basically his argument which is all flowered up in pretty
> pictures and security vulnerability language is:
>
> If root loads a buggy module then the module can be used to compromise
> the system.
>
> Well isn't that surprising.

Big yawner. Now if the claim had been that a properly buggy module, inserted
under a certain set of circumstances, got onto the binfmt list *even when the
process loading it wasn't root*, now *that* would be an exploit....


Attachments:
(No filename) (226.00 B)