* Fwd: Registration Weakness in Linux Kernel's Binary formats
@ 2006-10-03 21:25 Bráulio Oliveira
2006-10-03 21:53 ` Kyle Moffett
2006-10-03 21:53 ` Fwd: " endrazine
0 siblings, 2 replies; 5+ messages in thread
From: Bráulio Oliveira @ 2006-10-03 21:25 UTC (permalink / raw)
To: linux-kernel
Just forwarding....
---------- Forwarded message ----------
From: SHELLCODE Security Research <GoodFellas@shellcode.com.ar>
Date: Oct 3, 2006 4:13 PM
Subject: Registration Weakness in Linux Kernel's Binary formats
To: undisclosed-recipients
Hello,
The present document aims to demonstrate a design weakness found in the
handling of simply
linked lists used to register binary formats handled by
Linux kernel, and affects all the kernel families
(2.0/2.2/2.4/2.6), allowing the insertion of infection modules in
kernel space that can be used by malicious users to create infection
tools, for example rootkits.
POC, details and proposed solution at:
English version: http://www.shellcode.com.ar/docz/binfmt-en.pdf
Spanish version: http://www.shellcode.com.ar/docz/binfmt-es.pdf
regards,
--
SHELLCODE Security Research TEAM
GoodFellas@shellcode.com.ar
http://www.shellcode.com.ar
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Registration Weakness in Linux Kernel's Binary formats
2006-10-03 21:25 Fwd: Registration Weakness in Linux Kernel's Binary formats Bráulio Oliveira
@ 2006-10-03 21:53 ` Kyle Moffett
2006-10-03 21:59 ` Stephen Hemminger
2006-10-03 21:53 ` Fwd: " endrazine
1 sibling, 1 reply; 5+ messages in thread
From: Kyle Moffett @ 2006-10-03 21:53 UTC (permalink / raw)
To: Bráulio Oliveira; +Cc: linux-kernel
On Oct 03, 2006, at 17:25:07, Bráulio Oliveira wrote:
> Just forwarding....
Well, you could have checked the list archives first to make sure the
idiot didn't send it here himself. Secondly if you're going to
forward something like this best send it to security@kernel.org first.
Of course, it's partially the abovementioned idiot's fault for BCCing
a mailing list and several others:
> To: undisclosed-recipients
> Hello,
> The present document aims to demonstrate a design weakness found in
> the
> handling of simply linked lists used to register binary
> formats handled by Linux kernel, and affects all
> the kernel families (2.0/2.2/2.4/2.6), allowing the insertion of
> infection modules in kernel space that can be used by malicious
> users to create infection tools, for example rootkits.
Would be nice if I could get to your paper to actually read it, but
as it returns a 404 error I'm going to make one brief statement:
If you can load another binary format or access the "simply linked
lists" of the binfmt chain in any way, then you're root and therefore
there are easier ways to own the box than patching the kernel.
Cheers,
Kyle Moffett
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Registration Weakness in Linux Kernel's Binary formats
2006-10-03 21:53 ` Kyle Moffett
@ 2006-10-03 21:59 ` Stephen Hemminger
2006-10-03 22:28 ` Valdis.Kletnieks
0 siblings, 1 reply; 5+ messages in thread
From: Stephen Hemminger @ 2006-10-03 21:59 UTC (permalink / raw)
To: linux-kernel
On Tue, 3 Oct 2006 17:53:30 -0400
Kyle Moffett <mrmacman_g4@mac.com> wrote:
> On Oct 03, 2006, at 17:25:07, Bráulio Oliveira wrote:
> > Just forwarding....
>
> Well, you could have checked the list archives first to make sure the
> idiot didn't send it here himself. Secondly if you're going to
> forward something like this best send it to security@kernel.org first.
>
> Of course, it's partially the abovementioned idiot's fault for BCCing
> a mailing list and several others:
> > To: undisclosed-recipients
>
> > Hello,
> > The present document aims to demonstrate a design weakness found in
> > the
> > handling of simply linked lists used to register binary
> > formats handled by Linux kernel, and affects all
> > the kernel families (2.0/2.2/2.4/2.6), allowing the insertion of
> > infection modules in kernel space that can be used by malicious
> > users to create infection tools, for example rootkits.
>
> Would be nice if I could get to your paper to actually read it, but
> as it returns a 404 error I'm going to make one brief statement:
>
> If you can load another binary format or access the "simply linked
> lists" of the binfmt chain in any way, then you're root and therefore
> there are easier ways to own the box than patching the kernel.
>
> Cheers,
> Kyle Moffett
I looked at it, basically his argument which is all flowered up in pretty
pictures and security vulnerability language is:
If root loads a buggy module then the module can be used to compromise
the system.
Well isn't that surprising.
--
Stephen Hemminger <shemminger@osdl.org>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Fwd: Registration Weakness in Linux Kernel's Binary formats
2006-10-03 21:25 Fwd: Registration Weakness in Linux Kernel's Binary formats Bráulio Oliveira
2006-10-03 21:53 ` Kyle Moffett
@ 2006-10-03 21:53 ` endrazine
1 sibling, 0 replies; 5+ messages in thread
From: endrazine @ 2006-10-03 21:53 UTC (permalink / raw)
To: Bráulio Oliveira; +Cc: linux-kernel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I can't say if the vulnerability is real,
but I do know pdfs are _unsafe_ those days...
Regards,
endrazine-
Bráulio Oliveira wrote:
> Just forwarding....
>
> ---------- Forwarded message ---------- From: SHELLCODE Security
> Research <GoodFellas@shellcode.com.ar> Date: Oct 3, 2006 4:13 PM
> Subject: Registration Weakness in Linux Kernel's Binary formats To:
> undisclosed-recipients
>
>
> Hello, The present document aims to demonstrate a design weakness
> found in the handling of simply linked lists used to
> register binary formats handled by Linux kernel, and
> affects all the kernel families (2.0/2.2/2.4/2.6), allowing
> the insertion of infection modules in kernel space that can be
> used by malicious users to create infection tools, for example
> rootkits.
>
> POC, details and proposed solution at: English version:
> http://www.shellcode.com.ar/docz/binfmt-en.pdf Spanish version:
> http://www.shellcode.com.ar/docz/binfmt-es.pdf
>
> regards, -- SHELLCODE Security Research TEAM
> GoodFellas@shellcode.com.ar http://www.shellcode.com.ar
>
>
> - To unsubscribe from this list: send the line "unsubscribe
> linux-kernel" in the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/ - To unsubscribe
> from this list: send the line "unsubscribe linux-kernel" in the
> body of a message to majordomo@vger.kernel.org More majordomo info
> at http://vger.kernel.org/majordomo-info.html Please read the FAQ
> at http://www.tux.org/lkml/
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFItvszX6JtL3KgRURAq6xAJ4pXYuqjAwxOY8H+/yU5WhRmBDVVgCgnwNr
JusXDby1dLMzAR/t4/mKf1c=
=3tmT
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2006-10-03 22:28 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-03 21:25 Fwd: Registration Weakness in Linux Kernel's Binary formats Bráulio Oliveira
2006-10-03 21:53 ` Kyle Moffett
2006-10-03 21:59 ` Stephen Hemminger
2006-10-03 22:28 ` Valdis.Kletnieks
2006-10-03 21:53 ` Fwd: " endrazine
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox