Comment by RandomGerm4n
13 days ago
This does not seem to work with Fedora Atomic. Because the system is read-only, the kernel module cannot be loaded. You would have to create an RPM package for the rootkit that you can then layer. In addition, due to Secure Boot, the kernel module would have to be signed with the same key as the system itself.
With secure boot enabled, is it mandatory for kernel modules to be signed with same key so they can be loaded? I was not aware of this.
insmod can load a module from anywhere (surely /tmp is writable), even stdin. That's why you definitely want to block unknown kernel modules.
Most production OS I saw would do this on boot-up completion:
echo 1 > /proc/sys/kernel/modules_disabled
Which is supposed to block dynamic loading modules until a reboot.
It would be interesting if the PoC can get around that trick too. =3
Once you have memory write as ring0, all protections are dubious at best.
Why bother loading a module when you can inject code into any function you want.
1 reply →
If Kernel Lockdown is enabled, a zero-day exploit is required to bypass module restrictions without a reboot.
Unfortunately, threat actors tend to have a stash of them and the initial entry vector often involves one (container or browser sandbox escape), and once you have that, you are in ring 0 already and one flipped bit away from loading the module.
The Linux kernel is not really an effective privilege boundary.
4 replies →
Or only allow signed kernel modules. Aka secure boot.
This doesn't solve all vectors but afaics this will prevent non signed modules from loading.