|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: More modutils: It's probably worse.
From: Chris Evans (chris
SCARY.BEASTS.ORG)Date: Mon Nov 13 2000 - 15:01:23 CST
- Next message: Michal Zalewski: "Re: More modutils: It's probably worse."
- Previous message: Charles J. Knipe: "Re: Denial of Service Vulnerability in Sun AnswerBook2"
- Next in thread: Michal Zalewski: "Re: More modutils: It's probably worse."
- Reply: Michal Zalewski: "Re: More modutils: It's probably worse."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
I think this problem is worse than originally thought. As noted by Olaf:
--- It should be noted that older Linux distributions using e.g. modutils-2.1.121 (which I'm looking at) should be safe: before modprobe will do _anything_ it checks the name of the requested module against /lib/modules/modules.dep and fails if the module's not listed. Getting "; chmod +w ." listed as a module should be sort of tricky. ---Unfortunately, we can subvert modutils _before_ any validation of module name gets run. If we make the first character of our proposed module a '-', then it will be just like we passed an option to modprobe.
modprobe -C, to specify a config file other than /etc/modules.conf, would be an interesting route to play with.
Oh dear. Looks like a kernel issue as well as a modutils issue. Also looks like more distributions could be affected.
I'd normally hold off posting something like this, but I guarantee black hats have already figured this out.
Cheers Chris
- Next message: Michal Zalewski: "Re: More modutils: It's probably worse."
- Previous message: Charles J. Knipe: "Re: Denial of Service Vulnerability in Sun AnswerBook2"
- Next in thread: Michal Zalewski: "Re: More modutils: It's probably worse."
- Reply: Michal Zalewski: "Re: More modutils: It's probably worse."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]