Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!magnus.acs.ohio-state.edu!tut.cis.ohio-state.edu!ucbvax!ulysses!ulysses.att.com!cjc From: cjc@ulysses.att.com (Chris Calabrese) Newsgroups: comp.unix.admin Subject: Re: Kmem security (was: Re: How do you make your UNIX crash ???) Message-ID: <14487@ulysses.att.com> Date: 19 Mar 91 14:18:41 GMT References: <513@bria> <1991Mar12.132003.27383@cs.widener.edu> <14454@ulysses.att.com> <1991Mar13.180300.17697@convex.com> <9103152251.41@rmkhome.UUCP> Sender: netnews@ulysses.att.com Organization: AT&T Bell Laboratories, Murray Hill Lines: 39 rmk@rmkhome.UUCP (Rick Kelly) writes: >tchrist@convex.COM (Tom Christiansen) writes: >>From the keyboard of cjc@ulysses.att.com (Chris Calabrese): >>:Allowing any access to /dev/kmem is asking for trouble. >>:It's possible to become root on a system which >>:has a readable /dev/kmem without too much trouble. >> >>With just read access? How do you do that? I can understand >>being able to read other people's data, but I really don't know >>how you would use this to become the superuser. Reading su passwds? >>This is much harder in raw mode. > >Think about it. Look at the UNIX tools you have available. Consider the fact >that /dev/kmem is a file. When anyone logs in, even root, login has to decrypt >the password in /etc/password to compare it to the password typed it. This >password in memory lays around for a while. It is extremely easy to grab >passwords out of kmem, and match them to ANY user, including root. Actually, modern versions of login (especially System V) take great pains to trash the plain-text copy of passwords ASAP, so they really only hang around for a second at most. However, this is still time enough. Older versions of login (v7, and older BSD varieties) really did keep the password in memory for a good long time (at least through the life of the login program, if not longer (depending on whether the kernel clears memory pages when they're freed or when they're allocated). In any event, there are plenty of other programs which read passwords and don't take such precautions (various screen lock programs, for instance). What it all comes down to is this: kmem is a gaping security hole if mortals have access to it. It's also trivially simple to plug that hole. Don't whine about it, just do it... Name: Christopher J. Calabrese Brain loaned to: AT&T Bell Laboratories, Murray Hill, NJ att!ulysses!cjc cjc@ulysses.att.com Obligatory Quote: ``pher - gr. vb. to schlep. phospher - to schlep light.philosopher - to schlep thoughts.''