undefined | Better HN

0 pointswoodman9y ago0 comments

> A rootkit may require a root permission to install...

This sort of phrasing is misleading. If your OS restricts security sensitive kernel functions to the root user (hint: 99% of OSes do), then it isn't "may" - it is "must". Are there wrapper scripts that run privilege escalation exploits before installing the rootkit? Yes. Doesn't that make the exploit part of the rootkit? No, they are two very different things performing two different functions and are capable of operating independent of one-another.

> ...the purpose is the same: To provide the attacker with root permissions.

No, it is to allow code to run at the same privilege level as the kernel itself. Unrestricted loadable kernel modules. Think that is a distinction without a difference? OSX disagrees, as does Windows.

0 comments

jdmichal9y ago

Regardless, the point of a rootkit is to provide an execution context with escalated privileges. Whether that means root user, kernel space, System user is I would think depends on the specific rootkit. (Whose name, of course, points to "root" privileges.) Which was my original definition and is inline with the posted definition from Wikipedia.

woodmanOP9y ago

Well I guess we won't come to an agreement, because it seems that whatever reason you prefer a very loose definition. For example, you just couldn't help yourself in confusing the privilege escalation point: "...context with escalated privileges." The rootkit isn't escalating anything, in the same way that LKMs, bootloaders, tracetools, or drivers don't escalate - it executes at or below its own privilege level.

jdmichal9y ago

I'm obviously not communicating my point well. Let's try this:

A backdoor executes in a remote machine. It allows attackers to access that machine.

A rootkit executes in a "remote" privileged context. It allows attackers to access that privileged context. It's in this context that I refer to escalation; it allows the attacker in a non-priviledged context access to a privileged context; aka escalation. And yes, the actual escalation already happened in the past, when the rootkit was installed. However, a non-priviledged user is still gaining illicit access to a privileged context at the moment that the rootkit is utilized.

Also, at this point I think we're splitting semantic hairs that don't really matter, aside from pedantry.

1 more reply

j / k navigate · click thread line to collapse

0 pointswoodman9y ago0 comments

> A rootkit may require a root permission to install...

> ...the purpose is the same: To provide the attacker with root permissions.

0 comments

jdmichal9y ago

woodmanOP9y ago

jdmichal9y ago

I'm obviously not communicating my point well. Let's try this:

A backdoor executes in a remote machine. It allows attackers to access that machine.

Also, at this point I think we're splitting semantic hairs that don't really matter, aside from pedantry.

1 more reply

j / k navigate · click thread line to collapse