Re: Flame Linus to a crisp!

From: Dax Kelson (dax@gurulabs.com)
Date: Thu Apr 24 2003 - 03:46:11 EST


On Thu, 24 Apr 2003 Valdis.Kletnieks@vt.edu wrote:

> On top of which, if a buffer overflow is found, the exploit will run in
> the context of the signed program.

Two examples I can think of right now:

1. Manipulated 007 save games files can subvert the Xbox when they
overflow the trusted game.
2. The "hack resistant" series 2 Tivo boxes can be subverted by a
insecure, signed Linux kernel.

The Tivo kernel is signed with ElGamal, and the Tivo firmware will refuse
to run a non-signed kernel and initrd image. The initrd image has SHA1
hashes of all the bootup config files, binaries and and a hash checker.
The idea here is that Tivo can control what is executed.

Turns out Tivo signed a kernel+initrd that wasn't locked down properly.
Oops! This kernel+initrd package has become a hot commodity.

The pieces that come together are:

1. All directories/files are verified EXCEPT stuff on /var
- However, none of the hash checked boot scripts reference anything on
/var

2. Users can control what command line is passed to the kernel

3. Users can put the Tivo hard drive in a PC and put stuff on /var.

Finally, Tivo didn't validate/scrub the kernel command line properly, and
people were able to get their own daemons and code running, stored on
/var, by passing BASH_ENV with a funky value to the kernel.

Dax Kelson

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Wed Apr 30 2003 - 22:00:12 EST