oss-sec mailing list archives
Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions
From: Kees Cook <kees () ubuntu com>
Date: Fri, 25 Feb 2011 23:30:38 -0800
On Fri, Feb 25, 2011 at 03:10:10PM +0300, Vasiliy Kulikov wrote:
UID 0 without capabilities has not been made really unprivileged yet. It makes sense only within namespace container without any virtual filesystem which handles permissions with uid/gid checks (not CAP_*). But this is rather strange.
True, but I was just trying to show some examples. The case I'm most concerned about is the case where modules_disable has been set. It is possible to use acpi/custom_method to unset this and then load kernel rootkit modules, etc. I know it's a special case, but it still provides arbitrary kernel memory writes which is not an intended ability for any user to have, even root. -Kees -- Kees Cook Ubuntu Security Team
Current thread:
- CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions Kees Cook (Feb 24)
- Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions Eugene Teo (Feb 24)
- Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions Vasiliy Kulikov (Feb 25)
- Re: CVE request: kernel: /sys/kernel/debug/acpi/custom_method can bypass module restrictions Kees Cook (Feb 25)