Re: More modutils: It's probably worse.

[Michal Zalewski <lcamtuf () DIONE IDS PL>]

On Mon, 13 Nov 2000, Chris Evans wrote:

> modprobe -C, to specify a config file other than /etc/modules.conf,
> would be an interesting route to play with.

You are wrong - modprobe WON'T parse eg. argv[n]="-r blahblah" or
argv[n]="-rblahblah" - every switch that requires additional parameters
has to be split into two argv[] entries (argv[n]="-r",
argv[n+1]="blahblah"). It is not possible to split anything into two or
more separate argv entries using request_module() call - where
/sbin/modprobe is called with user-supplied module name as argv[3]. The
same applies to module parameter parsing (so 'mymodule someparam=xxx'
won't work as well), etc. And, finally, at least my modprobe from modutils
2.1.121, have no -C switch.

Another thing I don't get regarding all the feedback - request_module()
contains pretty strict checks, and couldn't be called without root
privledges or specific capabilities. And the only one location where it
seems to be called with user-supplied module name is the networking code.
Maybe I am missing something, but at least for me, modprobe
vulnerabilities are exploitable via privledged networking services,
nothing more.

_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=