Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!samsung!crackers!cpoint!frog!rmkhome!rmk
From: rmk@rmkhome.UUCP (Rick Kelly)
Newsgroups: comp.unix.admin
Subject: Re: Kmem security (was: Re: How do you make your UNIX crash ???)
Message-ID: <9104111945.00@rmkhome.UUCP>
Date: 12 Apr 91 05:03:00 GMT
References: <1991Mar12.132003.27383@cs.widener.edu> <1991Mar24.203327.18426@ttank.ttank.com> <638@minya.UUCP> <1991Apr8.213109.1949@mailer.cc.fsu.edu>
Reply-To: rmk@rmkhome.UUCP (Rick Kelly)
Organization: The Man With Ten Cats
Lines: 36

In article <1991Apr8.213109.1949@mailer.cc.fsu.edu> boyd@nu.cs.fsu.edu writes:
>In article <638@minya.UUCP>, jc@minya.UUCP (John Chambers) writes:

>>> Safer would be:
>>> strings /dev/kmem | tr ' ' '^J' | sort -u | more
>>> and do a /rootpassword

>>OK; that didn't crash the system; I just got a few random-looking strings,
>>followed by::
>>	/rootpassword: Command not found.
>>What was it supposed to do?  Maybe I'm not a real Unix hacker, after
>>all; I haven't even heard of a "rootpassword" command.  Am I missing
>>something good?  I also looked around on some of the BSD and Ultrix
>>systems at work, and there was nothing called "rootpassword" anywhere
>>in any of their filesystems.


>This was to invoke a search for the string "rootpassword" in more.  It is 
>not a standalone command, it is a modifier within more.  It could be argued
>that it is one of the more useful features of more.  My question is why
>the string "rootpassword" would be anywhere (perhaps the poster intended
>for the real root password to be substituted, just to show how easy it 
>can be found.  A potential intruder would have to try all the strings 
>found, but this is still a drastically reduced searchspace). 



One avenue is to search for "root" or any other login in memory in such a
way that you know it's offset in /dev/kmem.  Do an ASCII dump of kmem at
that offset, and you will soon find the password.

I have done this, but for obvious reasons I leave this as an exercise for
the reader.


Rick Kelly	rmk@rmkhome.UUCP	frog!rmkhome!rmk	rmk@frog.UUCP