Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20110226073038.GP4669@outflux.net>
Date: Fri, 25 Feb 2011 23:30:38 -0800
From: Kees Cook <kees@...ntu.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: kernel:
 /sys/kernel/debug/acpi/custom_method can bypass module restrictions

On Fri, Feb 25, 2011 at 03:10:10PM +0300, Vasiliy Kulikov wrote:
> UID 0 without capabilities has not been made really unprivileged yet.
> It makes sense only within namespace container without any virtual
> filesystem which handles permissions with uid/gid checks (not CAP_*).
> But this is rather strange.

True, but I was just trying to show some examples. The case I'm most
concerned about is the case where modules_disable has been set. It
is possible to use acpi/custom_method to unset this and then load
kernel rootkit modules, etc.

I know it's a special case, but it still provides arbitrary kernel
memory writes which is not an intended ability for any user to
have, even root.

-Kees

-- 
Kees Cook
Ubuntu Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.