lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200406181741.i5IHf0UJ014231@mailserver3.hushmail.com>
Date: Fri, 18 Jun 2004 10:40:59 -0700
From: "blexim" <blexim@...h.com>
To: bugtraq@...urityfocus.com
Subject: Re: Unprivilegued settings for FreeBSD kernel variables


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>> I've already told you that there is no such threat, since the attack
>> you describe can only be initiated by someone who already has
>> unrestricted access.  Please stop wasting everybody's time.
> You are wrong. Unrestricted access means _really unrestricted_ and
>kernel securelevel restricts access to certain places even to root.
>IMHO, it's dagerous bug, because some administrators can think "...hmm,

>I've enabled the hardest securelevel and even if a hacker would break
>into my host with r00t privileges he will be restricted in certain ways.
>The only thing he can do is to change /etc/rc.conf (for example) and
>_reboot_ my host. But I will notice the reboot." So, for certain
>people the following formulae may hold:
>         Hardest securelevel + no reboots = good security.
>
> But this bug changes things. One can lower securelevel, do some nasty
things
>and raise it again _without reboots_. So, as I've already noted, you
are wrong.
>The bug _gives_ you almost unrestricted access.

You can't load the LKM unless securelevel <= 0.  Therefore, if securelevel
> 0 (the default securelevel for multi-user operation is 1) you can't
load your evil LKM & thus can't lower the securelevel.  Essentially this
means that if the securelevel is 0 or lower, you can lower it even further,
 but if this is the case there are no protections effected by securelevel
anyway.  In other words, there is absolutely no threat presented by the
attack you describe.

blexim
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkDTKTMACgkQsE7ilXLZoGa3vwCdEM0+r9e9OMBvXs8HXIsVyIsCzDgA
n2CffOjRHyMfT3WdLCY9opAV9qdK
=uDmH
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about.php?subloc=affiliate&l=427


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ