[GLLUG] monilithic kernel (debian 3.0) and ethernet devices

Melson, Paul PMelson@sequoianet.com
Thu, 21 Mar 2002 15:19:55 -0500


The only thing like that that I'm aware of is a pretty obscure issue
that was a bug in the kernel itself (2.4.3-6).  If the condition was met
(no modules.dep file at boot) the kernel would build one chmod 666.
Then an attacker could force the kernel to load whatever module s/he
wanted, but only after rebooting.  It was pretty tough to exploit, and
any half-hearted file system monitoring tool would have found the new
world-writeable file before an exploit would likely occur.

If your kernel, modules, or libraries are stored on writeable
partitions, they are all susceptible to this sort of attack, and can all
allow an attacker continued access/privileges on the system in a way
that might not be detected through conventional logging mechanisms.
Building a monolithic kernel doesn't, in my opinion, provide any
additional security in and of itself.

PaulM

-----Original Message-----
From: djf2 [mailto:djf2@danu.ili.net]
Sent: Thursday, March 21, 2002 2:30 PM
Cc: linux-user@egr.msu.edu
Subject: Re: [GLLUG] monilithic kernel (debian 3.0) and ethernet devices


On Thu, 21 Mar 2002, Matt Graham wrote:

> On Thursday 21 March 2002 11:54, you wrote:
> > So for security reasons i've compiled my IPSec enabled (freeswan)
and
> > Masquerading enabled kernel monolithically
> 
> I've never understood why people would do that.  It doesn't provide
any 
> security benefits that I can see, since you have to be root anyway to 
> load a module.  If a malicious attacker gets root on your machine, 
> you're screwed whether or not the attacker loads a new module.  
> 
   
     I know at least one reason that people do it is because a rogue
module can make it awfully hard to tell if you've been rooted.  Its a
matter of damage control after a compromise, some of those rogue modules
can hide files, logins, netstat info, and provide a backdoor for people
to
get back in to your system without creating an account.  I can't
remember
for certain, but I do seem to recall that at least one older module
exploit didn't require the attacker to be root.  Also, there have been
several exploits that will allow an attacker to overwrite arbitrary
files.
With an exploit like that it'd be fairly trivial to figure out which
module a system loads and really simple to cause a reboot.  The attacker
wouldn't have had root before that, but he would after it. 


--
"Is that sound you're hearing the trumpeting of St. Peter's angels
 or the screams of Memnoch's tortured souls?"
Don Flynn        djf2@ili.net                   Sayge@IRC 

_______________________________________________
linux-user mailing list
linux-user@egr.msu.edu
http://www.egr.msu.edu/mailman/listinfo/linux-user