Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Linux kernel scm_send local DoS

From: xbud <xbud () g0thead com>
Date: Fri, 17 Dec 2004 16:18:47 -0500
On Wednesday 15 December 2004 15:48, gadgeteer () elegantinnovations org wrote:

Not by disabling the syscall but by replacing it in the manner that a
rootkit replaces syscalls.  Build a new kernel from the same
source/config except for patch.  Replace syscalls where there is change.
Practical?
Stable?
No.  Much easier to simply reboot to new kernel.  If service(s) are so
critical as to not tolerate a reboot yet have a single point of failure
on this one component then there are greater problems at play.


I'd have to agree with Paul on this one, be it syscall or a binary patch for 
other code.  It's in kernel mode, if the module/patch crashes the running 
image 'oops' I downed the box.  I doubt any reasonable IT procedures would 
endure this type of fix on their production systems.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: