Re: So, back on the topic of enabling bpf in GENERIC...

[Mike Smith]

> :     But even if you turn off the bpf device, you still have /dev/mem and
> :     /dev/kmem to worry about.  For that matter, the intruder can still write
> :     raw devices.  Also, there is another kernel feature called kldload(8).
> 
>     BTW, I wrote this section because a hacker actually installed the bpf 
>     device via the module loader during one of the root compromises at BEST,
>     a year or two ago.  He had gotten it from a hackers cookbook of exploits
>     which he convieniently left on-disk long enough for our daily backups to
>     catch it :-).

This doesn't actually help the attacker much, since at that point in 
time the network drivers wouldn't have been calling the bpf tap points, 
so it might well have been loaded, but it wouldn't have been _doing_ 
anything useful.

-- 
\\  The mind's the standard       \\  Mike Smith
\\  of the man.                   \\  [EMAIL PROTECTED]
\\    -- Joseph Merrick           \\  [EMAIL PROTECTED]




To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message