Kmem security (was: Re: How do you make your UNIX crash ???)
Chris Calabrese
cjc at ulysses.att.com
Wed Mar 20 00:18:41 AEST 1991
rmk at rmkhome.UUCP (Rick Kelly) writes:
>tchrist at convex.COM (Tom Christiansen) writes:
>>From the keyboard of cjc at ulysses.att.com (Chris Calabrese):
>>:Allowing any access to /dev/kmem is asking for trouble.
>>:It's possible to become root on a system which
>>:has a readable /dev/kmem without too much trouble.
>>
>>With just read access? How do you do that? I can understand
>>being able to read other people's data, but I really don't know
>>how you would use this to become the superuser. Reading su passwds?
>>This is much harder in raw mode.
>
>Think about it. Look at the UNIX tools you have available. Consider the fact
>that /dev/kmem is a file. When anyone logs in, even root, login has to decrypt
>the password in /etc/password to compare it to the password typed it. This
>password in memory lays around for a while. It is extremely easy to grab
>passwords out of kmem, and match them to ANY user, including root.
Actually, modern versions of login (especially System V) take great pains
to trash the plain-text copy of passwords ASAP, so they really only
hang around for a second at most. However, this is still time enough.
Older versions of login (v7, and older BSD varieties) really did keep
the password in memory for a good long time (at least through the life
of the login program, if not longer (depending on whether the kernel
clears memory pages when they're freed or when they're allocated).
In any event, there are plenty of other programs which read passwords
and don't take such precautions (various screen lock programs, for
instance).
What it all comes down to is this: kmem is a gaping security hole if
mortals have access to it. It's also trivially simple to plug that
hole. Don't whine about it, just do it...
Name: Christopher J. Calabrese
Brain loaned to: AT&T Bell Laboratories, Murray Hill, NJ
att!ulysses!cjc cjc at ulysses.att.com
Obligatory Quote: ``pher - gr. vb. to schlep. phospher - to schlep light.philosopher - to schlep thoughts.''
More information about the Comp.unix.admin
mailing list