Re: Registration Weakness in Linux Kernel's Bin ary formats

From: Chase Venters
Date: Tue Oct 03 2006 - 17:48:27 EST

Next message: Jeff Garzik: "Re: wpa supplicant/ipw3945, ESSID last char missing"
Previous message: Marc Perkel: "Re: It's not GNU/Linux - it's jusy LINUX"
Next in thread: Alan Cox: "Re: Registration Weakness in Linux Kernel's Bin ary formats"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 3 Oct 2006, SHELLCODE Security Research wrote:

Hello,
The present document aims to demonstrate a design weakness found in the
handling of simply
linked lists used to register binary formats handled by
Linux kernel, and affects all the kernel families
(2.0/2.2/2.4/2.6), allowing the insertion of infection modules in
kernelÂ space that can be used by malicious users to create infection
tools, for example rootkits.

So the problem you find is that newly registered binfmts are inserted into the front of the binfmt list instead of the rear, and this means that a binfmt handler can slip in at runtime at run quietly before any other handler?

I'm not sure I see this as a real problem. If you can load a module into kernel space and access arbitrary symbols (not to mention run in ring 0) I think you can do a lot more than just hide out on the binfmt list.

Am I missing something?

POC, details and proposed solution at:
English version: http://www.shellcode.com.ar/docz/binfmt-en.pdf
Spanish version: http://www.shellcode.com.ar/docz/binfmt-es.pdf

regards,
--
SHELLCODE Security Research TEAM
GoodFellas@xxxxxxxxxxxxxxxx
http://www.shellcode.com.ar

Thanks,
Chase

Next message: Jeff Garzik: "Re: wpa supplicant/ipw3945, ESSID last char missing"
Previous message: Marc Perkel: "Re: It's not GNU/Linux - it's jusy LINUX"
Next in thread: Alan Cox: "Re: Registration Weakness in Linux Kernel's Bin ary formats"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]