Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!wuarchive!csus.edu!ucdavis!csusac!unify!longbow!ttank!tts From: tts@ttank.ttank.com (Karl Bunch) Newsgroups: comp.unix.admin Subject: Re: Kmem security (was: Re: How do you make your UNIX crash ???) Message-ID: <1991Mar24.203327.18426@ttank.ttank.com> Date: 24 Mar 91 20:33:27 GMT References: <513@bria> <1991Mar12.132003.27383@cs.widener.edu> <1991Mar18.153201.23325@lth.se> <601@minya.UUCP> Reply-To: karl@ttank.com Distribution: usa Organization: Think Tank Software, Norwalk, CA Lines: 63 In <601@minya.UUCP> jc@minya.UUCP (John Chambers) writes: >In article <1991Mar18.153201.23325@lth.se>, magnus%thep.lu.se@Urd.lth.se (Magnus Olsson) writes: >> In article <9103152251.41@rmkhome.UUCP> rmk@rmkhome.UUCP (Rick Kelly) writes: >> >When anyone logs in, even root, login has to ... >[Picky, picky, picky! ;-] >There have been some claims that getting passwords from the kernel is >"easy". I'd like to see an example of how easy it is. It strikes me >as being not very easy at all. Well, sure, I can read all of kmem into.. Try this.. Login as root: time strings /dev/kmem | grep rootpassword | wc -l You'll be surprised. Mind you you shouldn't have anyone running on the system or have a history file (ksh or csh) that will save the root password into a file. If anyone is on during the test a ps might show them what grep is looking for.... :-( Safer would be: strings /dev/kmem | tr ' ' '^J' | sort -u | more and do a /rootpassword On our local system with 10Mb of memory it took 3 seconds and returned 5 matches! Some of them where were we had used 'cu' to call another host and use the password and the last say 256 characters were all together: Welcome to somewhere.... login: ... root rootpassword.. Etc! And: strings /dev/kmem | tr ' ' '^J' | sort -u | wc -l Only returned 2000 or so words! Not bad! You know "SOMEBODY'S" password is in there.. Just run a guessing program.. At even just 5 guesses per second I would have the account in 7 mins! Just wait for root to login and then run the above.. Save the list of "words" (And this could be cut better than with just tr) and do a guess at root later when he logges out... No problem.. PLEASE PLASE leave your /dev/kmem world readable.. Hey why not world writable! yes > /dev/kmem Enough sarcasm.. Let's just say it's dangerous in sooo many ways we can't count them with our current computing ability. :-) Karl -- % ---------------------------------------------------------------------------- % Karl Bunch ||| UUCP: ..!uunet!zardoz!ttank!karl % Think Tank Software ||| INTERNET: karl@ttank.com % "...you'd be suprised how far a hug will go with Geordi, even Worf!" -- Riker