Full Disclosure mailing list archives
Re: Re: Linux kernel scm_send local DoS
From: xbud <xbud () g0thead com>
Date: Fri, 17 Dec 2004 16:18:47 -0500
On Wednesday 15 December 2004 15:48, gadgeteer () elegantinnovations org wrote:
Not by disabling the syscall but by replacing it in the manner that a rootkit replaces syscalls. Build a new kernel from the same source/config except for patch. Replace syscalls where there is change. Practical? Stable? No. Much easier to simply reboot to new kernel. If service(s) are so critical as to not tolerate a reboot yet have a single point of failure on this one component then there are greater problems at play.
I'd have to agree with Paul on this one, be it syscall or a binary patch for other code. It's in kernel mode, if the module/patch crashes the running image 'oops' I downed the box. I doubt any reasonable IT procedures would endure this type of fix on their production systems. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Linux kernel scm_send local DoS Paul Starzetz (Dec 15)
- Re: Linux kernel scm_send local DoS even multiplexed (Dec 17)
- Re: Linux kernel scm_send local DoS Paul Starzetz (Dec 22)
- Re: Linux kernel scm_send local DoS gadgeteer (Dec 17)
- Re: Re: Linux kernel scm_send local DoS xbud (Dec 23)
- Re: Linux kernel scm_send local DoS even multiplexed (Dec 22)
- Re: Linux kernel scm_send local DoS Paul Starzetz (Dec 22)
- Re: Linux kernel scm_send local DoS even multiplexed (Dec 17)
- Re: Linux kernel scm_send local DoS Pavel Kankovsky (Dec 23)
- <Possible follow-ups>
- RE: Linux kernel scm_send local DoS Leif Sawyer (Dec 15)
- RE: Linux kernel scm_send local DoS Paul Starzetz (Dec 15)