On Thu, 16 Apr 2009 12:43:07 -0400, Noah Meyerhans wrote: > On Thu, Apr 16, 2009 at 11:55:05AM -0400, Michael S. Gilbert wrote: > > as seen in recent articles and discussions, the linux kernel is > > currently vulnerable to rootkit attacks via the /dev/mem device. one > > article [1] mentions that there is an existing patch for the problem, > > but does not link to it. perhaps this fix can be found in the kernel > > mailing lists. > > There's no vulnerability there. /dev/mem is only writable by root. > > The research (if there's really any research involved) just shows how > you could hide files or processes by manipulating /dev/mem. That's been > known for ages. That's why you don't let your users write to /dev/mem. > If the attacker has root, who cares what means they use to hide their > precese, you've already lost.
i believe that the "if they've got root, you've already lost" consensus is a logical fallacy. an aspect of security is being able to detect when you have been compromised. hence, it is a lot worse when the attacker is able to mask their presence. at least when they only have root they leave tracks and you can detect files, configs, and utilities that differ from the norm or are out of place. i think that any flaw that allows an attacker to elevate his pwnage from root to hidden should always be considered a grave security issue. best regards, mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
