> On top of which, if a buffer overflow is found, the exploit will run in
> the context of the signed program.
Two examples I can think of right now:
1. Manipulated 007 save games files can subvert the Xbox when they
overflow the trusted game.
2. The "hack resistant" series 2 Tivo boxes can be subverted by a
insecure, signed Linux kernel.
The Tivo kernel is signed with ElGamal, and the Tivo firmware will refuse
to run a non-signed kernel and initrd image. The initrd image has SHA1
hashes of all the bootup config files, binaries and and a hash checker.
The idea here is that Tivo can control what is executed.
Turns out Tivo signed a kernel+initrd that wasn't locked down properly.
Oops! This kernel+initrd package has become a hot commodity.
The pieces that come together are:
1. All directories/files are verified EXCEPT stuff on /var
- However, none of the hash checked boot scripts reference anything on
/var
2. Users can control what command line is passed to the kernel
3. Users can put the Tivo hard drive in a PC and put stuff on /var.
Finally, Tivo didn't validate/scrub the kernel command line properly, and
people were able to get their own daemons and code running, stored on
/var, by passing BASH_ENV with a funky value to the kernel.
Dax Kelson
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/