[Info-vax] Malware in kernel mode, was: Re: Android development Was Re: OT: Larry Ellison takes retirement as CEO of Oracle

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Fri Sep 26 15:44:38 EDT 2014 

On 2014-09-26, JF Mezei <jfmezei.spamnot at vaxination.ca> wrote:
> On 14-09-25 16:15, Simon Clubley wrote:
>
>> We are talking about a buffer/integer/whatever overflow/other
>> vulnerability in some kernel mode component which allows what should
>> be data to be executed as code.
>
> Can you give an example where a buffer overflow would happen in kernel
> mode ?
>

Many vulnerabilities come about because code doesn't apply enough
checking to structured data received from an untrusted source.

The majority of the time this targets a normal user level process
such as a web server. However, there's no reason why the exact same
principle could not be used against code running in kernel context
which processes incoming data as structured data.

For example, with TCP/IP there will be a number of kernel context
components interpreting incoming data as structured data. A couple
of UCX 5.x examples which come immediately off the top of my head are
TNDRIVER and the NFS kernel component.

In the old days, PPPDRIVER would have been a good candidate for
detailed investigation but I doubt many VMS systems today have
incoming or outgoing PPP connections and even fewer will have PPP
connections with potentially untrusted peers.

Try using SDA to examine the device drivers and kernel level components
loaded into your VMS systems, then think about the kinds of structured
data some of them will be processing and finally think about how you
can throw badly structured data at those kernel level components.

BTW, I didn't mention SSH because I'm not sure if it has a kernel level
component other than FTDRIVER. If SSH has kernel level components
which process incoming structured data from an external source then
you can add SSH to that list.

Also, this being VMS, there are other protocols floating around apart
from TCP/IP.

Also, as well as the above protocol level layers, don't forget there
has been attacks against the other layers such as ICMP and TCP in
the past.

> I can understand an IO operating in kernel writing beyond the end of the
> user's buffer but that won't rewrite kernel code will it ?
>

It doesn't need to rewrite kernel code. It just needs to trick a
kernel level component into executing the incoming data as code.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

More information about the Info-vax mailing list