lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 4 Oct 2006 01:08:57 -0300
From:	"Julio Auto" <mindvortex@...il.com>
To:	"Chase Venters" <chase.venters@...entec.com>
Cc:	goodfellas@...llcode.com.ar,
	"Linux kernel" <linux-kernel@...r.kernel.org>,
	"Kyle Moffett" <mrmacman_g4@....com>,
	endrazine <endrazine@...il.com>,
	"Stephen Hemminger" <shemminger@...l.org>, Valdis.Kletnieks@...edu,
	"Alan Cox" <alan@...rguk.ukuu.org.uk>
Subject: Re: Registration Weakness in Linux Kernel's Binary formats

I sincerely think you're all missing the point here.

The observation is in fact something that can be used by rootkit
writers or developers of other forms of malware. Meaning that this is
always something else that people who work to make Linux a safer
environment will have to watch and look for (think of rootkit
detectors, for an example). I'm glad they've reported it, as someone
might be using it already for God knows how long. All very stealthy.
All I can think is that this is a very good opportunity for us to
rethink some designs and see if a little bit of effort wouldn't be
worth the advantages a patch might bring.

Don't get me wrong. I truly appreciate the freedom that Linux
provides, but this "well, root should be able to do anything, anyway"
mentality won't get this OS anywhere security-wise. If everyone
thought like that, then I'd guess that sys_call_table would be an
exported symbol until now, linux-gate wouldn't be randomized, and so
on.

Just a thought.

Cheers,

    Julio Auto

On 10/4/06, Chase Venters <chase.venters@...entec.com> wrote:
> On Tuesday 03 October 2006 14:12, SHELLCODE Security Research wrote:
> > Hello,
> > The present document aims to demonstrate a design weakness found in the
> > handling of simply
> > linked   lists   used   to   register   binary   formats   handled   by
> > Linux   kernel,   and   affects   all   the   kernel families
> > (2.0/2.2/2.4/2.6), allowing the insertion of infection modules in
> > kernelĀ­ space that can be used by malicious users to create infection
> > tools, for example rootkits.
>
> Yay, you've been Slashdotted!
>
> Question: Why did you personally submit this to Slashdot when it is absolutely
> clear that the observation is akin to figuring out a process can call fork()
> and exec() and become "/bin/rm" with an argv of "/bin/rm", "-rf", and "*"?
>
> Is this what you call good marketing?
>
> > POC, details and proposed solution at:
> > English version: http://www.shellcode.com.ar/docz/binfmt-en.pdf
> > Spanish version: http://www.shellcode.com.ar/docz/binfmt-es.pdf
> >
>
> Thanks,
> Chase
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ