oss-sec mailing list archives

Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions

From: Kees Cook <kees () ubuntu com>
Date: Fri, 25 Feb 2011 23:30:38 -0800

On Fri, Feb 25, 2011 at 03:10:10PM +0300, Vasiliy Kulikov wrote:

UID 0 without capabilities has not been made really unprivileged yet.
It makes sense only within namespace container without any virtual
filesystem which handles permissions with uid/gid checks (not CAP_*).
But this is rather strange.


True, but I was just trying to show some examples. The case I'm most
concerned about is the case where modules_disable has been set. It
is possible to use acpi/custom_method to unset this and then load
kernel rootkit modules, etc.

I know it's a special case, but it still provides arbitrary kernel
memory writes which is not an intended ability for any user to
have, even root.

-Kees

-- 
Kees Cook
Ubuntu Security Team

Current thread:

CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions Kees Cook (Feb 24)
- Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions Eugene Teo (Feb 24)
- Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions Vasiliy Kulikov (Feb 25)
  - Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions Kees Cook (Feb 25)