| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.64.0610031645340.3514@turbotaz.ourhouse> Date: Tue, 3 Oct 2006 16:48:02 -0500 (CDT) From: Chase Venters <chase.venters@...entec.com> To: SHELLCODE Security Research <GoodFellas@...llcode.com.ar> cc: linux-kernel@...r.kernel.org Subject: Re: Registration Weakness in Linux Kernel's Binary formats On Tue, 3 Oct 2006, SHELLCODE Security Research wrote: > Hello, > The present document aims to demonstrate a design weakness found in the > handling of simply > linked lists used to register binary formats handled by > Linux kernel, and affects all the kernel families > (2.0/2.2/2.4/2.6), allowing the insertion of infection modules in > kernel space that can be used by malicious users to create infection > tools, for example rootkits. So the problem you find is that newly registered binfmts are inserted into the front of the binfmt list instead of the rear, and this means that a binfmt handler can slip in at runtime at run quietly before any other handler? I'm not sure I see this as a real problem. If you can load a module into kernel space and access arbitrary symbols (not to mention run in ring 0) I think you can do a lot more than just hide out on the binfmt list. Am I missing something? > POC, details and proposed solution at: > English version: http://www.shellcode.com.ar/docz/binfmt-en.pdf > Spanish version: http://www.shellcode.com.ar/docz/binfmt-es.pdf > > regards, > -- > SHELLCODE Security Research TEAM > GoodFellas@...llcode.com.ar > http://www.shellcode.com.ar > Thanks, Chase
Powered by blists - more mailing lists