• (TS//SI//REL) SODAPRESSED - Linux application persistence. Given a
running installation of Linux, install some application or inject
something into memory which will. This currently works on certain
versions of Linux without SELinux enabled. [1]
They seem to define "persistence" variously, though I think they're talking about a rootkit in general (as opposed to checkpoint/restore). Emphasis on hypervisors, HDD and SSD firmware and, of course, the SMM.
Given that they talk about "Linux application persistence", I'd assume it's some kernel module rootkit. In which case, it's not that cool. The in-kernel ABI changes a lot and basic techniques like hooking the IDT vary.
• (TS//SI//REL) SODAPRESSED - Linux application persistence. Given a running installation of Linux, install some application or inject something into memory which will. This currently works on certain versions of Linux without SELinux enabled. [1]
Does anyone know what exploit this refers to?
[1] https://search.edwardsnowden.com/docs/S3285InternProjects201...