Bugtraq mailing list archives

Group kmem exploitable?

From: oxymoron () WASTE ORG (Oliver Xymoron)
Date: Tue, 23 Feb 1999 13:37:32 -0600


With all the back and forth about whether kmem is writable or not, I think
it might be worth pointing out that with read access to /dev/mem and
/dev/kmem, it's certainly possible to snoop passwords. Though technically
challenging, there's no reason you can't parse the process tables,
etc. to figure out the exact location of the buffer being used to store a
password as it's being typed. Despite being an asynchronous procedure and
basically being a huge race, people type their passwords pretty slowly.
Finding whether a process has libpam mapped and whether or not it's
currently in the password entry procedure, etc. doesn't take too long..

Convincing root he needs to type his password is a comparatively small
exercise in social engineering.
--
 "Love the dolphins," she advised him. "Write by W.A.S.T.E.."

Current thread:

Re: Process table attack (from RISKS Digest), (continued)
- - - Re: Process table attack (from RISKS Digest) Jan B. Koum (Feb 22)
    - ANNOUNCE: Net::RawIP 0.06 has been released Sergey V. Kolychev (Feb 22)
    - Summary: Copyright on Security advisories Aviram Jenik (Feb 22)
    - Re: Process table attack (from RISKS Digest) Dug Song (Feb 22)
    - NetBus client 1.x overflow Daniel Rosowski (Feb 22)
    - Re: Process table attack (from RISKS Digest) James Lockwood (Feb 22)
    - Re: Process table attack (from RISKS Digest) Dirk Moerenhout (Feb 22)
    - Re: Process table attack (from RISKS Digest) unknown () RIVERSTYX NET (Feb 22)
    - Re: Process table attack (from RISKS Digest) Andrew Hobgood (Feb 22)
    - Denial of service process table attacks John Conover (Feb 23)
    - Group kmem exploitable? Oliver Xymoron (Feb 23)
    - Re: Pro/wuFTPD DoS Alex Belits (Feb 21)
  - ISS install.iss security hole Fyodor (Feb 20)
    - Re: ISS install.iss security hole Joel Eriksson (Feb 22)
    - Preventing remote OS detection Patrick Gilbert (Feb 22)
    - Re: Preventing remote OS detection James Lockwood (Feb 22)
    - Re: Preventing remote OS detection route () RESENTMENT INFONEXUS COM (Feb 22)
    - Re: Preventing remote OS detection Salvatore Sanfilippo (Feb 23)
    - Re: ISS install.iss security hole Peter Benie (Feb 22)
    - Re: ISS install.iss security hole Michael Warfield (Feb 22)
    - BlackHats Advisory -- InterScan VirusWall The Unicorn (Feb 22)

(Thread continues...)