I was not worried about this for the same reason but was hoping for some
confirmation. The part that would worry me is not really new and that is
someone remastering and putting in a susceptible kernel. Especially if they
masquerade as a legitimate distro. Again, not a new possibility, but this
story brought it to mind again. Sounds like the community consideres it a
yawner trho so I will go back to sleep.
On 10/4/06, Alan Dayley <
alandd@consultpros.com> wrote:
>
> On Wed, October 4, 2006 5:03 pm, Dazed_75 wrote:
> >>From slashdot this morning:
> >
> > Weakness In Linux Kernel's Binary
> > Format<http://it.slashdot.org/it/06/10/03/2122220.shtml>
> > *Posted by kdawson <http://technologyfront.com/> on Tuesday October 03,
> > @06:50PM*
> > *from the get-right-on-this dept.*
> > [image: Security] <http://slashdot.org/search.pl?tid=172>
> > Goodfellas <goodfellas@shellcode.com.ar> writes, *"This document aims
> to
> > demonstrate a design weakness found in the handling of simply linked
> lists
> > used to register binary formats handled by the Linux kernel. It affects
> > all
> > the kernel families (2.0/2.2/2.4/2.6), allowing the insertion of
> infection
> > modules in kernel space that can be used by malicious users to create
> > infection tools, for example rootkits. Proof of concept, details, and
> > proposed solution (in PDF form):
> > English<http://www.shellcode.com.ar/docz/binfmt-en.pdf>,
> > Spanish <http://www.shellcode.com.ar/docz/binfmt-es.pdf>.*
> >
> >
> > Has anyone seen or heard of this? I was not able to get the report and
> > might not understand it anyway. It might be totally bogus. NTL, I was
> > surprised it had not been mentioned here. BTW, the English link was to
> > http://www.shellcode.com.ar/docz/binfmt-en.pdf in case it is not active
> > here. I was guessing the site may have been overwhelmed preventing me
> > from
> > getting it, but I am curious about it.
>
> Caveats to the following comments:
> 1. I have not read the paper cited.
> 2. I quote some of the responses in the associated Slashdot discussion
> which, at times, are worth less than you pay for them.
>
> -------------------
> And?
> (Score:5, Informative)
> by ledow (319597) * Alter Relationship on Tuesday October 03, @06:54PM
> (#16298943)
> (http://www.ledow.org.uk/)
> Although any auditing is welcome and they may be a problem here, the fact
> is that it's hardly news and not exploitable. The reports says itself that
> you have to be root to exploit it. It's already game-over. Yes, look for
> these sorts of things and find them but it's hardly worth the shock-factor
> of "Massive Hole Found In Linux" panic headlines.
>
> -------------------
> Re:What about other ELF systems?
> (Score:5, Informative)
> by Tyger (126248) Alter Relationship on Tuesday October 03, @08:01PM
> (#16299587)
>
> ....
>
> The point is, once you have root, there are any number of ways to
> compromise the system and hide your exploits. It's good to have the
> information about as many different ways as possible out in the open, but
> it's hardly alarming news that there's yet another discovered.
>
> -------------------
>
> Too bad you have to be root.
> (Score:5, Funny)
> by czehp (156215) Alter Relationship on Tuesday October 03, @06:54PM
> (#16298947)
> ... I have a security flaw... but you have to be _root_ to execute it!
> AHHHHH It's the end of the world!
>
> I discovered a new one too... if you run rm -rf / as root you'll bork your
> system!
>
> We should all go back to windows, where rm doesn't exist ^_^
>
> --------------------
> (And on and on....)
> --------------------
> Back to me.
>
> I'm not worried about it. But, somebody got a lot of publicity out of it!
>
> Alan
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
Be who you are and say what you feel, because those who mind don't matter
and those who matter don't mind. - Dr. Seuss
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)