[EMAIL PROTECTED] wrote:
>
<snip>
>
> If he cracks your filesystem you are already SOL. He can replace your
> bootsector with one that installs Windows97 and wait for a power
> failure. Or replace your kernel image with an evil one.
>
Never heard of Tripwire, eh?
Read the Sec. howto.
<snip>
>
> So fix the buffer overflow. To me it doesn't make any sense to let an
> intruder into your system, and then try to make it a little harder for
> him to do obvious damage. Keep the *** out in the first place. :-)
> Once someone can write on your filesystem without a by-your-leave, it is
> not your system any more.
<snip>
If you install a replacement kernel image, you have to know the exact
hardware configuration in order to make it work. With a module you need
not bother with the details. also, a new kernel image will make tripwire
alarm you before the reboot which will give control to the new kernel,
while modules take effect immediately.
The problem is: Normally you detect an intruder by careful study of
syslogs and tripwire-like program output. But with the described module
attack, you can get your Trojan Horse into the system WITHOUT BEING
DETECTED, WITHOUT EVEN A CHANCE TO BE DETECTED, because you load the
module, the module hides itself from lsmod, ls /lib/modules/.. and
everything! There is no other attack that can go on for so long w/o
being regognized.
And, frankly, you are a misguided man if you think that only modules
from ftp.*.kernel.org can be loaded. Take SB live, take the crypto API
from ftp.kerneli.org, etc.
Marc
--
Marc Mutz <[EMAIL PROTECTED]> http://marc.mutz.com/
University of Bielefeld, Dep. of Mathematics / Dep. of Physics
PGP-keyID's: 0xd46ce9ab (RSA), 0x7ae55b9e (DSS/DH)