Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: your mail

From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Mon, 12 Jul 1999 18:16:58 +1000

In some mail from Anonymous, sie said:


Hi folks,

THC released a new article dealing with FreeBSD 3.x
Kernel modules that can attack/backdoor the
system.
You can find our article on http://thc.pimmel.com or
http://r3wt.base.org.


A couple of comments.  This is only possible on systems which are
already insecure (securelevel < 0).  In other environments, modules
which are loaded (and their parent directories) should be immutable,
preventing someone from loading their own.  Similar protection of
startup scripts and things run at boot time is also required.

Generally, once someone has root on the system it should be considered
"game over" and it is necessary to rebuild from scratch :-(

In section III, (3), putting hashes in the kernel is not of much use
unless the kernel is immutable.  In (4), it should say that any tool which
directly interrogates /dev/kmem will also circumvent hacking sysctl (unless
that tool itself is also hacked, which is what the original trojans for
ps did in rootkits).

In general, nothing written up is new, except the sploits for script
kiddies.  I trust you folks are also working on Solaris exploits, where
it is (currently) impossible to disable loadable modules...

Darren
Previous By Date Next
Previous By Thread Next

Current thread: