Home page logo

bugtraq logo Bugtraq mailing list archives

Re: More modutils: It's probably worse.
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Tue, 14 Nov 2000 00:06:32 +0100

On Mon, 13 Nov 2000, Chris Evans wrote:

modprobe -C, to specify a config file other than /etc/modules.conf,
would be an interesting route to play with.

You are wrong - modprobe WON'T parse eg. argv[n]="-r blahblah" or
argv[n]="-rblahblah" - every switch that requires additional parameters
has to be split into two argv[] entries (argv[n]="-r",
argv[n+1]="blahblah"). It is not possible to split anything into two or
more separate argv entries using request_module() call - where
/sbin/modprobe is called with user-supplied module name as argv[3]. The
same applies to module parameter parsing (so 'mymodule someparam=xxx'
won't work as well), etc. And, finally, at least my modprobe from modutils
2.1.121, have no -C switch.

Another thing I don't get regarding all the feedback - request_module()
contains pretty strict checks, and couldn't be called without root
privledges or specific capabilities. And the only one location where it
seems to be called with user-supplied module name is the networking code.
Maybe I am missing something, but at least for me, modprobe
vulnerabilities are exploitable via privledged networking services,
nothing more.

Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]