Bugtraq mailing list archives
Re: your mail
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Mon, 12 Jul 1999 18:16:58 +1000
In some mail from Anonymous, sie said:
Hi folks, THC released a new article dealing with FreeBSD 3.x Kernel modules that can attack/backdoor the system. You can find our article on http://thc.pimmel.com or http://r3wt.base.org.
A couple of comments. This is only possible on systems which are already insecure (securelevel < 0). In other environments, modules which are loaded (and their parent directories) should be immutable, preventing someone from loading their own. Similar protection of startup scripts and things run at boot time is also required. Generally, once someone has root on the system it should be considered "game over" and it is necessary to rebuild from scratch :-( In section III, (3), putting hashes in the kernel is not of much use unless the kernel is immutable. In (4), it should say that any tool which directly interrogates /dev/kmem will also circumvent hacking sysctl (unless that tool itself is also hacked, which is what the original trojans for ps did in rootkits). In general, nothing written up is new, except the sploits for script kiddies. I trust you folks are also working on Solaris exploits, where it is (currently) impossible to disable loadable modules... Darren
Current thread:
- L0pht 'Domino' Vulnerability is alive and well Aleph One (Jul 05)
- <Possible follow-ups>
- Re: L0pht 'Domino' Vulnerability is alive and well Weld Pond (Jul 06)
- Re: L0pht 'Domino' Vulnerability is alive and well Pavel Ahafonau (Jul 07)
- Re: L0pht 'Domino' Vulnerability is alive and well mtremblay () BAHNSO COM (Jul 08)
- Re: L0pht 'Domino' Vulnerability is alive and well Ryan Thomas Tecco (Jul 09)
- Communicator 4.[56]x, JavaScript used to bypass cookie settings Peter W (Jul 09)
- (no subject) Anonymous (Jul 09)
- Re: your mail Darren Reed (Jul 12)
- Navigator cookie security Oliver Lineham (Jul 09)
- Re: Communicator 4.[56]x, JavaScript used to bypass cookie settings Claudio Telmon (Jul 13)
- Solaris 2.6/7 NTP permissions problem john_smith () RD QMS COM (Jul 14)
- Privacy concerns in interMute John Temples (Jul 16)
- Re: Solaris 2.6/7 NTP permissions problem Casper Dik (Jul 16)
- (no subject) sbr (Jul 14)
- joe 2.8 makes world-readable DEADJOE Trevor Johnson (Jul 17)
- Re: your mail hal (Jul 19)