Bugtraq mailing list archives
Re: More modutils: It's probably worse.
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Tue, 14 Nov 2000 00:06:32 +0100
On Mon, 13 Nov 2000, Chris Evans wrote:
modprobe -C, to specify a config file other than /etc/modules.conf, would be an interesting route to play with.
You are wrong - modprobe WON'T parse eg. argv[n]="-r blahblah" or argv[n]="-rblahblah" - every switch that requires additional parameters has to be split into two argv[] entries (argv[n]="-r", argv[n+1]="blahblah"). It is not possible to split anything into two or more separate argv entries using request_module() call - where /sbin/modprobe is called with user-supplied module name as argv[3]. The same applies to module parameter parsing (so 'mymodule someparam=xxx' won't work as well), etc. And, finally, at least my modprobe from modutils 2.1.121, have no -C switch. Another thing I don't get regarding all the feedback - request_module() contains pretty strict checks, and couldn't be called without root privledges or specific capabilities. And the only one location where it seems to be called with user-supplied module name is the networking code. Maybe I am missing something, but at least for me, modprobe vulnerabilities are exploitable via privledged networking services, nothing more. _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Current thread:
- More modutils: It's probably worse. Chris Evans (Nov 14)
- Re: More modutils: It's probably worse. Michal Zalewski (Nov 14)