Re: ext2 attribute immutable
Snow Cat (snowcat@math.csufresno.edu)
Fri, 5 Apr 1996 18:29:19 -0800 (PST)
Kevin M Bealer once wrote:
>
> On Wed, 3 Apr 1996, Zefram wrote:
>
> > >> So, how does one need to modify /proc/1/mem to decrease the secure-level
> > >> after getting root access? :)
> > >
> > >You don't need to. You can just do a ptrace() on init, or create your
> > >OWN init process --- by using a careful, controlled fork bomb we can
> > >easily create new processes until we are about to wrap pid, then kill
> > >init and wait until one of our forks has a pid of 1.
> >
> > The fork attack shouldn't be possible. On SunOS, for example, when the
> > PIDs wrap, they wrap to 101, not 1. Doesn't Linux do something like
> > this? If it wraps to 1, this has to change -- conceptually, low PIDs
> > are a privileged resource, so access to them must be restricted.
> (clip)
>
> Testing this with a bash script, I counted the pid up to 32,750 and then did
> 'ps' manually until the pid wrapped. The pid did NOT wrap to 100 or 300, it
> wrapped to '4'... skipping 1,2,3 which were taken.
>
Ok, init can't be ptrace()d or kill()ed. You can try one of these:
1) Look in /System.map for securelevel, for example:
00000000001b8024 D securelevel
Write a program that mmap()s /dev/mem and then does:
*(int *)(map + 0x1b8024) = 0;
2) run "debugfs /dev/hda1" and kill_file anything with immutable attribute
that you want to replace.
3) If a kernel hacker blocked you from direct access to devices, do iopl(3) and
program DMA ports + floppy controller to transfer a sector from floppy to
the kernel page that has securelevel. (S)he can't block this, because X servers
do the same iopl() call :)
PS: Did anyone write a version of insmod-HACKER-TOOL and ksymoops that
understands new 64-bit addresses in System.map?
--
_. _ .
(_ ,_ _ , . / ` _ _L | Email: Oleg Kibirev <oleg@math.CSUFresno.EDU>
._)| U(_)\/\/ \_,(_L/L | Visit http://math.math.CSUFresno.EDU/~oleg/math.html
------------------------' to get my programs + PGP public key (and resume:)