I was not worried about this for the same reason but was hoping for some confirmation. The part that would worry me is not really new and that is someone remastering and putting in a susceptible kernel. Especially if they masquerade as a legitimate distro. Again, not a new possibility, but this story brought it to mind again. Sounds like the community consideres it a yawner trho so I will go back to sleep.
On 10/4/06, Alan Dayley <alandd@consultpros.com> wrote:
On Wed, October 4, 2006 5:03 pm, Dazed_75 wrote:
>>From slashdot this morning:
>
> Weakness In Linux Kernel's Binary
> Format<http://it.slashdot.org/it/06/10/03/2122220.shtml
>
> *Posted by kdawson <http://technologyfront.com/> on Tuesday October 03,
> @06:50PM*
> *from the get-right-on-this dept.*
> [image: Security] <
http://slashdot.org/search.pl?tid=172>
> Goodfellas <goodfellas@shellcode.com.ar> writes, *"This document aims to
> demonstrate a design weakness found in the handling of simply linked lists
> used to register binary formats handled by the Linux kernel. It affects
> all
> the kernel families (2.0/2.2/2.4/2.6), allowing the insertion of infection
> modules in kernel space that can be used by malicious users to create
> infection tools, for example rootkits. Proof of concept, details, and
> proposed solution (in PDF form):
> English<
http://www.shellcode.com.ar/docz/binfmt-en.pdf>,
> Spanish <http://www.shellcode.com.ar/docz/binfmt-es.pdf>.*
>
>
> Has anyone seen or heard of this? I was not able to get the report and
> might not understand it anyway. It might be totally bogus. NTL, I was
> surprised it had not been mentioned here. BTW, the English link was to
>
http://www.shellcode.com.ar/docz/binfmt-en.pdf in case it is not active
> here. I was guessing the site may have been overwhelmed preventing me
> from
> getting it, but I am curious about it.
Caveats to the following comments:
1. I have not read the paper cited.
2. I quote some of the responses in the associated Slashdot discussion
which, at times, are worth less than you pay for them.
-------------------
And?
(Score:5, Informative)
by ledow (319597) * Alter Relationship on Tuesday October 03, @06:54PM
(#16298943)
(http://www.ledow.org.uk/)
Although any auditing is welcome and they may be a problem here, the fact
is that it's hardly news and not exploitable. The reports says itself that
you have to be root to exploit it. It's already game-over. Yes, look for
these sorts of things and find them but it's hardly worth the shock-factor
of "Massive Hole Found In Linux" panic headlines.
-------------------
Re:What about other ELF systems?
(Score:5, Informative)
by Tyger (126248) Alter Relationship on Tuesday October 03, @08:01PM
(#16299587)
....
The point is, once you have root, there are any number of ways to
compromise the system and hide your exploits. It's good to have the
information about as many different ways as possible out in the open, but
it's hardly alarming news that there's yet another discovered.
-------------------
Too bad you have to be root.
(Score:5, Funny)
by czehp (156215) Alter Relationship on Tuesday October 03, @06:54PM
(#16298947)
... I have a security flaw... but you have to be _root_ to execute it!
AHHHHH It's the end of the world!
I discovered a new one too... if you run rm -rf / as root you'll bork your
system!
We should all go back to windows, where rm doesn't exist ^_^
--------------------
(And on and on....)
--------------------
Back to me.
I'm not worried about it. But, somebody got a lot of publicity out of it!
Alan
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
--
Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind. - Dr. Seuss