Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Linux kernel scm_send local DoS
From: xbud <xbud () g0thead com>
Date: Fri, 17 Dec 2004 16:18:47 -0500

On Wednesday 15 December 2004 15:48, gadgeteer () elegantinnovations org wrote:
Not by disabling the syscall but by replacing it in the manner that a
rootkit replaces syscalls.  Build a new kernel from the same
source/config except for patch.  Replace syscalls where there is change.
Practical?
Stable?
No.  Much easier to simply reboot to new kernel.  If service(s) are so
critical as to not tolerate a reboot yet have a single point of failure
on this one component then there are greater problems at play.

I'd have to agree with Paul on this one, be it syscall or a binary patch for 
other code.  It's in kernel mode, if the module/patch crashes the running 
image 'oops' I downed the box.  I doubt any reasonable IT procedures would 
endure this type of fix on their production systems.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]