Re: Registration Weakness in Linux Kernel's Binary formats

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Hemminger <shemminger@osdl.org>
To: linux-kernel@vger.kernel.org
Subject: Re: Registration Weakness in Linux Kernel's Binary formats
Date: Tue, 3 Oct 2006 14:59:54 -0700	[thread overview]
Message-ID: <20061003145954.06b2aa49@freekitty> (raw)
In-Reply-To: 198AC4CE-A2CC-41DB-8D53-BDFB7959781B@mac.com

On Tue, 3 Oct 2006 17:53:30 -0400
Kyle Moffett <mrmacman_g4@mac.com> wrote:

> On Oct 03, 2006, at 17:25:07, Bráulio Oliveira wrote:
> > Just forwarding....
> 
> Well, you could have checked the list archives first to make sure the  
> idiot didn't send it here himself.  Secondly if you're going to  
> forward something like this best send it to security@kernel.org first.
> 
> Of course, it's partially the abovementioned idiot's fault for BCCing  
> a mailing list and several others:
> > To: undisclosed-recipients
> 
> > Hello,
> > The present document aims to demonstrate a design weakness found in  
> > the
> > handling of simply linked   lists   used   to   register   binary    
> > formats   handled   by Linux   kernel,   and   affects   all    
> > the   kernel families (2.0/2.2/2.4/2.6), allowing the insertion of  
> > infection modules in kernel  space that can be used by malicious  
> > users to create infection tools, for example rootkits.
> 
> Would be nice if I could get to your paper to actually read it, but  
> as it returns a 404 error I'm going to make one brief statement:
> 
> If you can load another binary format or access the "simply linked  
> lists" of the binfmt chain in any way, then you're root and therefore  
> there are easier ways to own the box than patching the kernel.
> 
> Cheers,
> Kyle Moffett

I looked at it, basically his argument which is all flowered up in pretty
pictures and security vulnerability language is:

   If root loads a buggy module then the module can be used to compromise
   the system.

Well isn't that surprising.

-- 
Stephen Hemminger <shemminger@osdl.org>

next prev parent reply	other threads:[~2006-10-03 22:00 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-10-03 21:25 Fwd: Registration Weakness in Linux Kernel's Binary formats Bráulio Oliveira
2006-10-03 21:53 ` Kyle Moffett
2006-10-03 21:59   ` Stephen Hemminger [this message]
2006-10-03 22:28     ` Valdis.Kletnieks
2006-10-03 21:53 ` Fwd: " endrazine
  -- strict thread matches above, loose matches on Subject: below --
2006-10-04  4:08 Julio Auto
2006-10-04  4:25 ` Chase Venters
2006-10-04 14:55   ` Alan Cox
2006-10-04 14:34     ` Xavier Bestel
2006-10-04  5:40 ` Kyle Moffett
2006-10-04  7:11   ` Peter Read
2006-10-03 19:13 SHELLCODE Security Research
2006-10-03 21:48 ` Chase Venters
2006-10-03 22:54   ` Alan Cox
2006-10-04  3:49 ` Chase Venters

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20061003145954.06b2aa49@freekitty \
    --to=shemminger@osdl.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.