[ajross]

> p0wned from where? Where's the vector attack?

For clarity: the example upthread about pwning was TCP/IP, not AX.25.

Also the idea that "there are no local exploits in this kernel code because it's not used by the running system" is like the proximate cause of 80% of local privilege escalation vulnerabilities. Seriously?

[anthk]

How can I exploit an unloaded module?

[ajross]

... by loading it? There are many ways to get the kernel to suck in a module you can then bang on over sysfs or whatever API it presents. You can have a local exploit in a binary with CAP_SYS_MODULE, subsystems can be fooled into passing uncooked strings to modprobe, users can be fooled into dropping junk into /etc/modprobe.d (instructions for doing so are pervasive in the embedded world and most users think this stuff is safe), etc...

This kind of chicanery is the vanilla pudding of the hacker world. It's everywhere. Suffice it to say that you're simply wrong: NO, it's never OK to argue a subsystem is safe because you personally think it can't be loaded. It 100% can be, that's the easy part.

[anthk]

>users can be fooled into dropping junk into /etc/modprobe.d (instructions for doing so are pervasive in the embedded world and most users think this stuff is safe), etc...

Not an issue for AX25 per se.

If you can fool an user to run root instructions, it's game over, period.

[pixl97]

There is a difference between running any instructions and an instruction that would otherwise be considered safe.