In some mail from Anonymous, sie said: > > Hi folks, > > THC released a new article dealing with FreeBSD 3.x > Kernel modules that can attack/backdoor the > system. > You can find our article on http://thc.pimmel.com or > http://r3wt.base.org. A couple of comments. This is only possible on systems which are already insecure (securelevel < 0). In other environments, modules which are loaded (and their parent directories) should be immutable, preventing someone from loading their own. Similar protection of startup scripts and things run at boot time is also required. Generally, once someone has root on the system it should be considered "game over" and it is necessary to rebuild from scratch :-( In section III, (3), putting hashes in the kernel is not of much use unless the kernel is immutable. In (4), it should say that any tool which directly interrogates /dev/kmem will also circumvent hacking sysctl (unless that tool itself is also hacked, which is what the original trojans for ps did in rootkits). In general, nothing written up is new, except the sploits for script kiddies. I trust you folks are also working on Solaris exploits, where it is (currently) impossible to disable loadable modules... Darren
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:58 PDT