2

How could a cracker force the loading of a kernel rootkit at boot? Is there a way to link the malicious module with another module so that it is loaded automatically without any insmod command?

forest
  • 64,616
  • 20
  • 206
  • 257
MysticDog
  • 53
  • 5

1 Answers1

4

Assuming you have complete privileged access to the filesystem on a Linux computer, you can load arbitrary kernel modules. There are several techniques you can use (non-exhaustive list):

  • Specify the module to load at boot using various configuration files.
  • Modify files in modprobe.d(5) to autoload your rootkit whenever a module normally loads.
  • Modify modules.dep(5) to specify your module as a dependency of another module.
  • Modify the initramfs to include your module in place of another module which is to be loaded.
  • Modify or replace an existing kernel module to contain your payload.

The final technique is likely the most stealthy, as it does not involve any configuration file changes and requires reverse engineering or keeping track of file integrity to detect. Note however that kernel module signing can defeat this by enforcing a valid signature on any modules to be loaded. If the module was compiled and signed on the same system as it is being used on, there is a chance that you can find the signing key in the unallocated space of the filesystem (as it is created at compile-time and then merely unlinked), but it's a long shot. If kernel module signing is in place and you are unable to obtain the signing key, you will have to find other methods to gain access to the kernel.

If you simply want to automatically load a module on boot without user interaction, you may be able to, making your desire to avoid insmod possibly superfluous. Various initramfs-generation scripts such as dracut, genkernel, and mkinitcpio are able to be used to include modules into the initramfs, and provide hooks for custom scripts. You can load the module in there.

Although not a malicious module per se, you may be able to trigger autoloading of a poorly-audited and insecure module that you have a working exploit for and use that module to escalate privileges. The two main ways to cause module autoloading is to perform a syscall with arguments that require an unloaded module (such as socket(2) with an argument that specifies the famously-insecure DCCP protocol), or by inserting a device that requires an obscure but in-tree hardware driver.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
forest
  • 64,616
  • 20
  • 206
  • 257
  • In some special cases, you can also directly write in kernel memory and bypass totally the module loading mechanism. But, I guess that in this case you will not try to load a module. You would better directly change what you want in kernel memory. – perror Dec 22 '17 at 10:41
  • 1
    @perror That's why I linked [Methods root can use to elevate itself to kernel mode](https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode) which gives some examples. – forest Dec 22 '17 at 12:25
  • Sorry, I didn't follow this link. I should have! :) – perror Dec 22 '17 at 12:40