mailing list archives
Re: your mail
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Mon, 12 Jul 1999 18:16:58 +1000
In some mail from Anonymous, sie said:
THC released a new article dealing with FreeBSD 3.x
Kernel modules that can attack/backdoor the
You can find our article on http://thc.pimmel.com or
A couple of comments. This is only possible on systems which are
already insecure (securelevel < 0). In other environments, modules
which are loaded (and their parent directories) should be immutable,
preventing someone from loading their own. Similar protection of
startup scripts and things run at boot time is also required.
Generally, once someone has root on the system it should be considered
"game over" and it is necessary to rebuild from scratch :-(
In section III, (3), putting hashes in the kernel is not of much use
unless the kernel is immutable. In (4), it should say that any tool which
directly interrogates /dev/kmem will also circumvent hacking sysctl (unless
that tool itself is also hacked, which is what the original trojans for
ps did in rootkits).
In general, nothing written up is new, except the sploits for script
kiddies. I trust you folks are also working on Solaris exploits, where
it is (currently) impossible to disable loadable modules...
[LoWNOISE] Lotus Domino ET LoWNOISE (Jul 10)