On Tue, 3 Oct 2006, SHELLCODE Security Research wrote:
Hello,
The present document aims to demonstrate a design weakness found in the
handling of simply
linked lists used to register binary formats handled by
Linux kernel, and affects all the kernel families
(2.0/2.2/2.4/2.6), allowing the insertion of infection modules in
kernel space that can be used by malicious users to create infection
tools, for example rootkits.
So the problem you find is that newly registered binfmts are inserted into
the front of the binfmt list instead of the rear, and this means that a
binfmt handler can slip in at runtime at run quietly before any other
handler?
I'm not sure I see this as a real problem. If you can load a module into
kernel space and access arbitrary symbols (not to mention run in ring 0) I
think you can do a lot more than just hide out on the binfmt list.
Am I missing something?
POC, details and proposed solution at:
English version: http://www.shellcode.com.ar/docz/binfmt-en.pdf
Spanish version: http://www.shellcode.com.ar/docz/binfmt-es.pdf
regards,
--
SHELLCODE Security Research TEAM
[email protected]
http://www.shellcode.com.ar
Thanks,
Chase
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]