Re: Angel bypass

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]

Archivio: mlangel@sikurezza.org
Soggetto: Re: Angel bypass
Mittente: Paolo Perego
Data: 24 Feb 2004 07:46:18 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniele Bellucci wrote:

| My idea is to check the file offset in /dev/kmem .. if it refers
Maybe this would tie the code to the specific kernel image... offsets
may depend how the kernel is compiled and so on and this is not a good
solution.

| |May be I'm wrong here, but if an attacker would but usage counter to 0
| |and remove our code playing with kmem must use a char device with major
| |X and minor Y. But in our system there could only be just one device
| |with the same pair (X, Y) so I can't point where the problem is...
|
| you can use mknod to create another kmem with same major/minor number
| to the rid of the angel "sys_open" check.
Mmmh... sorry Daniele but I know how a device could be created using a
pair (x, y) of numbers. I was pointing out another thing. /dev/kmem has
major 1 and minor 2 on my system. I created a char device foo with the
same number pairs and the result is that operating on new foo fake char
device has the same results about operating on /dev/kmem. I argue that
it happened because both /dev/kmem and foo has the same pairs so for the
kernel foo is viewed as his memory mapping.

For an attacker (who has to be root on the machine in order to create a
char device) using foo is the same using /dev/kmem at this point. But
for angel foo has the same major and minor number that /dev/kmem so I
can't see where the attacker keep fool of us.

I repeat, maybe I'm wrong but I can't see where the problem is creating
a new char dev... to accomplish his bad task the bad char dev has to
have the same major and minor /dev/kmem has...

IMHO, of course
thesponge
- --
$>cd /pub
$>more beer

(0>
//\  Perego Paolo <p_perego@xxxxxxxxxxx> - www.sikurezza.org/angel
V_/_ 'Spesso grandi imprese nascono da piccole opportunita` (Demostene)'
I'm Linux zion 2.6.2 - SuSE Linux 9.0 (i586) powered.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAOwCle2SOXFIw7OcRAr3GAJ9QNrCzYeZKSFi+6AxNF+mCeqLBngCgiUc4
7KzAS6kmwafvlqa58YOF39I=
=lbqD
-----END PGP SIGNATURE-----

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List

Messaggi successivi:
- Re: Angel bypass, Angelo Dell'Aera
- Re: Angel bypass, Daniele Bellucci

In risposta a:
- Angel bypass, Pierre Falda
- Re: Angel bypass, Daniele Bellucci
- Re: Angel bypass, Paolo Perego
- Re: Angel bypass, Daniele Bellucci

Data:
- precedente: Re: Angel bypass, Daniele Bellucci
- successivo: Re: new logging procedure..., Angelo Dell'Aera
- indice

Argomento:
- precedente: Re: Angel bypass, Daniele Bellucci
- successivo: Re: Angel bypass, Daniele Bellucci
- indice

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005