Re: Unprivilegued settings for FreeBSD kernel variables

Subject: Re: Unprivilegued settings for FreeBSD kernel variables
From: Ivaylo Kostadinov <ivaylo.kostadinov@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Jun 2004 10:14:41 +0100
Cc: bugtraq@xxxxxxxxxxxxxxxxx, cert@xxxxxxxx, phrackstaff@xxxxxxxxxx, staff@xxxxxxxxxxxxxxxxxxxxxxx, security@xxxxxxxxxxx
In-reply-to: <xzpzn74prwm.fsf@xxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20040615064223.GA22190@xxxxxxxxx> <xzpzn74prwm.fsf@xxxxxxxxxx>
User-agent: Mozilla Thunderbird 0.6 (X11/20040609)

Dag-Erling Smørgrav wrote:
> I've already told you that there is no such threat, since the attack
> you describe can only be initiated by someone who already has
> unrestricted access.  Please stop wasting everybody's time.


If the vulnerability described exists then there is such a threat.

The sole purpose of the FreeBSD secure levels is to prevent even someonewith unrestricted access from performing certain operations unlessworking on the console and the system is in "maintenance" mode.

Imagine a bootable-CD-only FreeBSD system acting as router/firewall insecurelevel 3. Even if somehow a hacker gets remote access to the systemshe/he will not be able to change the firewall setup.If however the hacker is able to reduce the secure level the she/he canreconfigure the firewall and thus disrupt the only function the systemis meant to perform.

This said if we look at the described "... security threat in basicsecurity facility..." :


>
> EXAMPLE:
> kernel module can gives you a new sysctl (for example kern.securelevel2):
> kern.securelevel2
> with which you can lower/raiser sysctl.securelevel variable
> (source code attached)
>
> $ kldstat
> Id Refs Address    Size     Name
>  1    7 0xc0400000 4378e4   kernel
>  ...
> $
> $ kldload ./securelevel2.ko
> $ kldstat
> Id Refs Address    Size     Name
>  1    8 0xc0400000 4378e4   kernel
>  ...
>  8    1 0xc4e96000 2000     securelevel2.ko

Why would you want to load the above-mentioned module? I mean except forthe purpose of exposing the securelevel2 variable.


This command only:

> sudo sysctl kern.securelevel=3

will safely put the system in the corresponding securelevel

> SYSCTL_PROC(_kern, OID_AUTO, securelevel2, CTLTYPE_LONG|CTLFLAG_RW,0, 0, sysctl_securelevel2, "I", ".");

> [...]
>

I have not checked where this code is from but it seems to me that theCTLFLAG_SECURE or similar flags are missing there.Does this not indicate that the sysctl variable is intended to bemodifiable at any securelevel?

In conclusion, the described scenario would reduce the securelevel butit will have to be engineered and greatly helped by the rightful adminof the system.And I must say I have definitely seen easier ways to Trojan-horse yourown host.



Best wishes,

ivaylo kostadinov

References:
- Unprivilegued settings for FreeBSD kernel variables
  - From: Radko Keves
- Re: Unprivilegued settings for FreeBSD kernel variables
  - From: Dag-Erling Smørgrav

Prev by Date: RE: Antivirus/Trojan/Spyware scanners DoS!
Next by Date: Re: Is predictable spam filtering a vulnerability?
Previous by thread: Re: Unprivilegued settings for FreeBSD kernel variables
Next by thread: Re: Unprivilegued settings for FreeBSD kernel variables
Index(es):
- Date
- Thread