Kmem security (was: Re: How do you make your UNIX crash ???)

Karl Bunch tts at ttank.ttank.com
Mon Mar 25 06:33:27 AEST 1991 

In <601 at minya.UUCP> jc at minya.UUCP (John Chambers) writes:

>In article <1991Mar18.153201.23325 at lth.se>, magnus%thep.lu.se at Urd.lth.se (Magnus Olsson) writes:
>> In article <9103152251.41 at rmkhome.UUCP> rmk at rmkhome.UUCP (Rick Kelly) writes:
>> >When anyone logs in, even root, login has to ...

>[Picky, picky, picky!  ;-]

>There have been some claims that getting passwords from the kernel is
>"easy".  I'd like to see an example of how easy it is.  It strikes me
>as being not very easy at all.  Well, sure, I can read all of kmem into..

Try this.. Login as root:

time strings /dev/kmem | grep rootpassword | wc -l

You'll be surprised.  Mind you you shouldn't have anyone running on the
system or have a history file (ksh or csh) that will save the root password
into a file.  If anyone is on during the test a ps might show them what
grep is looking for.... :-(

Safer would be:

strings /dev/kmem | tr ' ' '^J' | sort -u | more

and do a /rootpassword

On our local system with 10Mb of memory it took 3 seconds and returned
5 matches!  Some of them where were we had used 'cu' to call another host
and use the password and the last say 256 characters were all together:

	Welcome to somewhere....

	login:
	...
	root
	rootpassword..

Etc!  And:

strings /dev/kmem | tr ' ' '^J' | sort -u | wc -l

Only returned 2000 or so words!  Not bad!  You know "SOMEBODY'S" password
is in there.. Just run a guessing program.. At even just 5 guesses per
second I would have the account in 7 mins!  Just wait for root to login
and then run the above.. Save the list of "words" (And this could be
cut better than with just tr) and do a guess at root later when he logges
out...

No problem.. PLEASE PLASE leave your /dev/kmem world readable.. Hey
why not world writable!

yes > /dev/kmem

Enough sarcasm.. Let's just say it's dangerous in sooo many ways we
can't count them with our current computing ability. :-)

Karl
-- 
% ----------------------------------------------------------------------------
% Karl Bunch                            ||| UUCP: ..!uunet!zardoz!ttank!karl
% Think Tank Software                   ||| INTERNET: karl at ttank.com
% "...you'd be suprised how far a hug will go with Geordi, even Worf!" -- Riker

More information about the Comp.unix.admin mailing list