lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 23 May 2009 15:23:54 +0200 (CEST) From: Bodo Eggert <7eggert@....de> To: Andrea <andrea256it@...oo.it> cc: 7eggert@....de, linux-kernel@...r.kernel.org Subject: Re: super root shell/mode/api On Tue, 19 May 2009, Andrea wrote: >> If there is a malware with root privileges, this would be of no use. You are >> 0wned. >> >> If there is a malware with user privileges, stopping these processes will >> be enough. >> >> So why bother? > > That's exactly the problem a remote attacker or virus > can gain root and you are completely powerless. You want > to save data? The attacker just logs you out before you > can run any command. You can't even backup or save > data! You are owned. Yes. > > With this super shell/mode/menu in less then one second, you stop > everything - a global SIGSTP - and gain control over your machine! The problem is: You can only do the first step. The second step is prevented by the attacker replacing your super-root shell and the linux kernel with his specially crafted versions. That's why you need a hypervisor or a virtual machine to do the job. > You can save all memory, e.g. for controlling what happened > or data recovery, sigstop without hurry all processes that seems > a problem and so on. You can't, since the attacker modified the "save memory" function to exclude the malware and all your personal documents - or simply to not work at all. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists