[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

New hack against BSD, Linux is _mostly_ safe from it.

My housemate has formalized a sortof new attack against unix-style
operating systems.  He's a BSD fan, so that's where he developed the
attack.  He asked me to check Linux, which I did.  It seems Linux is
not vulnerable to it.  This attack is going out to BUGTRAQ tonight.

The attack isn't too serious because it requires physical access to
the console, but it doesn't require anything like disassembling the
machine.  It's just that you have to type into the boot prompt.

The basic attack is for an unprivileged user to copy the kernel or
otherwise obtain a usable kernel, modify some system call to leverage 
root access, and then to make that kernel boot.  The BSD bootloader
allows the user to specify any arbitrary pathname to load, so this
attack doesn't require a boot floppy, or boot CD-ROM, or anything else
of the like.

Linux booted from LILO is not vulnerable, because bootable kernels must
be specified ahead of time in /etc/lilo.conf, and I truly hope that no
Linux system has a publicly writable /etc/lilo.conf.  Linux booted from
SILO _is_ vulnerable unless a boot password is specified in /etc/silo.conf,
because SILO will otherwise allow the person at console to specify any
arbitrary file from which to boot, just as the BSD bootloader does.  With
the boot password specified in /etc/silo.conf, SILO will require the
user at console to enter the boot password before loading an arbitrary

Someone who is more familiar with SILO than I should take a look at this
to make sure that I'm right: my sparc isn't working these days, so I had
to rely on reading the SILO source code to figure out the password

The specific hack that's being posted to BUGTRAQ is in the form of
a gdb script that modifies an existing BSD kernel so that suser() always
returns 0 (which indicates "Yes, he's a superuser" in the BSD kernel).
Linux isn't susceptible to this specific attack because our suser()
function is inlined.  Nevertheless, the attack could be modified so
that it changes sys_chmod() to allow anyone to set the setuid flag.
But luckily we're saved by our bootloaders.

I am not subscribed to linux-security (someone keeps unsubscribing
me), so I have CC-ed myself on this message.  If a discussion develops,
please leave me on the CC line so that I can listen in.


Jon Paul Nollmann ne' Darren Senn                     sinster darkwater com
Unsolicited commercial email will be archived at $1/byte/day.
"Even a fool, when he holdeth his peace, is counted wise."   Proverbs 17:28

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]