Kmem security (was: Re: How do you make your UNIX crash ???)
Karl Bunch
tts at ttank.ttank.com
Mon Mar 25 06:33:27 AEST 1991
In <601 at minya.UUCP> jc at minya.UUCP (John Chambers) writes:
>In article <1991Mar18.153201.23325 at lth.se>, magnus%thep.lu.se at Urd.lth.se (Magnus Olsson) writes:
>> In article <9103152251.41 at rmkhome.UUCP> rmk at rmkhome.UUCP (Rick Kelly) writes:
>> >When anyone logs in, even root, login has to ...
>[Picky, picky, picky! ;-]
>There have been some claims that getting passwords from the kernel is
>"easy". I'd like to see an example of how easy it is. It strikes me
>as being not very easy at all. Well, sure, I can read all of kmem into..
Try this.. Login as root:
time strings /dev/kmem | grep rootpassword | wc -l
You'll be surprised. Mind you you shouldn't have anyone running on the
system or have a history file (ksh or csh) that will save the root password
into a file. If anyone is on during the test a ps might show them what
grep is looking for.... :-(
Safer would be:
strings /dev/kmem | tr ' ' '^J' | sort -u | more
and do a /rootpassword
On our local system with 10Mb of memory it took 3 seconds and returned
5 matches! Some of them where were we had used 'cu' to call another host
and use the password and the last say 256 characters were all together:
Welcome to somewhere....
login:
...
root
rootpassword..
Etc! And:
strings /dev/kmem | tr ' ' '^J' | sort -u | wc -l
Only returned 2000 or so words! Not bad! You know "SOMEBODY'S" password
is in there.. Just run a guessing program.. At even just 5 guesses per
second I would have the account in 7 mins! Just wait for root to login
and then run the above.. Save the list of "words" (And this could be
cut better than with just tr) and do a guess at root later when he logges
out...
No problem.. PLEASE PLASE leave your /dev/kmem world readable.. Hey
why not world writable!
yes > /dev/kmem
Enough sarcasm.. Let's just say it's dangerous in sooo many ways we
can't count them with our current computing ability. :-)
Karl
--
% ----------------------------------------------------------------------------
% Karl Bunch ||| UUCP: ..!uunet!zardoz!ttank!karl
% Think Tank Software ||| INTERNET: karl at ttank.com
% "...you'd be suprised how far a hug will go with Geordi, even Worf!" -- Riker
More information about the Comp.unix.admin
mailing list