Date: Fri, 25 Feb 2011 23:30:38 -0800 From: Kees Cook <kees@...ntu.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions On Fri, Feb 25, 2011 at 03:10:10PM +0300, Vasiliy Kulikov wrote: > UID 0 without capabilities has not been made really unprivileged yet. > It makes sense only within namespace container without any virtual > filesystem which handles permissions with uid/gid checks (not CAP_*). > But this is rather strange. True, but I was just trying to show some examples. The case I'm most concerned about is the case where modules_disable has been set. It is possible to use acpi/custom_method to unset this and then load kernel rootkit modules, etc. I know it's a special case, but it still provides arbitrary kernel memory writes which is not an intended ability for any user to have, even root. -Kees -- Kees Cook Ubuntu Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.