lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BLU163-W71F56C13E32D2072ED11BB4BB0@phx.gbl>
Date: Tue, 6 Dec 2011 19:33:54 -0600
From: John Jacobs <flamdugen@...mail.com>
To: <themadichib0d@...il.com>, <full-disclosure@...ts.grok.org.uk>
Subject: Re: one of my servers has been compromized


> Sounds pretty neat to be honest. But one thing I'm wondering is that if  
> they have root, what's stopping them from turning that off? After all  
> they need root to load the modules in the first place, so if they are  
> in a position to want to do that, then they are in a position to turn  
> that off. Granted they probably wouldn't be able to load modules till  
> next boot(at least Id probably cry if that wasn't the case) but even  
> that can be a win scenario depending on how they want to execute the  

Hi Gage, thank you for your reply.  What you are missing is that by disabling kernel module loading you are applying a defense-in-depth strategy to prevent a *vulnerable* module from automatically loading in the first place resulting in root compromise.  I believe you may not be aware that some modules are loaded automatically if a corresponding special device is accessed.  Usually the userspace modprobe utility is executed though this can be controlled by the value of /proc/sys/kernel/modprobe

Preventing module loading has historically be a valuable way to prevent privilege escalation or further root compromise.  Such an example would be the 'ptrace' exploit, see http://www.sans.org/security-resources/malwarefaq/Ptrace.php

Historically there have been various kernel modules that are vulnerable that could be loaded by userland non-root programs or access.  Ubuntu likes to automatically load modules.

Removing CAP_SYS_MODULE or kernel.modules_disabled=1 make good security sense.  See http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3d43321b7015387cfebbe26436d0e9d299162ea1 and http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=25354c4fee169710fd9da15f3bb2abaa24dcf933 and https://wiki.ubuntu.com/Security/Features#block-modules

The goal here is defense in depth.  Revocation of loading the kernel modules cannot be undone unless a system reboot is effected which should be highly suspicious.

The goal isn't about protecting ones boxens from a theoretical boogie-man it is to leverage all available and sane methods for properly securing ones box.  I see no point to to use these options.

Thanks,
John


 		 	   		  
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ