lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.LNX.1.10.0905231505390.28966@be10.lrz>
Date:	Sat, 23 May 2009 15:23:54 +0200 (CEST)
From:	Bodo Eggert <7eggert@....de>
To:	Andrea <andrea256it@...oo.it>
cc:	7eggert@....de, linux-kernel@...r.kernel.org
Subject: Re: super root shell/mode/api

On Tue, 19 May 2009, Andrea wrote:

>> If there is a malware with root privileges, this would be of no use. You are
>> 0wned.
>>
>> If there is a malware with user privileges, stopping these processes will
>> be enough.
>>
>> So why bother?
>
> That's exactly the problem a remote attacker or virus
> can gain root and you are completely powerless. You want
> to save data? The attacker just logs you out before you
> can run any command. You can't even backup or save
> data! You are owned. Yes.
>
> With this super shell/mode/menu in less then one second, you stop
> everything - a global SIGSTP - and gain control over your machine!

The problem is: You can only do the first step. The second step is 
prevented by the attacker replacing your super-root shell and the linux 
kernel with his specially crafted versions.

That's why you need a hypervisor or a virtual machine to do the job.

> You can save all memory, e.g. for controlling what happened
> or data recovery, sigstop without hurry all processes that seems
> a problem and so on.

You can't, since the attacker modified the "save memory" function to
exclude the malware and all your personal documents - or simply to
not work at all.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ