Bugtraq mailing list archives

Re: /dev/{km,m}em worries

From: mouse () collatz mcrcim mcgill edu (der Mouse)
Date: Tue, 17 May 1994 14:07:07 -0400

What exactly are the problems with having /dev/mem and /dev/kmem
readable by other?


Oy, serious security hole.  Anyone on the system can spy on anything in
physical memory (/dev/mem) or anything in kernel space (/dev/kmem).
This includes things like tty input buffers and internal state of any
process, including programs like passwd and login.  (At least they're
not world-write.  *That* would be scary.)

Is there anything I can be watchful of, to make sure that we haven't
been compromised?


Nothing specific; if anyone has sailed through that particular hole,
you have no direct way of knowing it.  I do - strongly - recommend that
you remove those world read bits, and if you want to be paranoid,
assume that anyone who can log in to your system at all has seen
anything typed since those world read bits were set, including all
passwords (and thus, presumably, change most to all of them, and check
yourself thoroughly for planted trojans and the like).  How much of
this you actually do depends on your paranoia level and things like the
level of expertise of your user community.  If, for example, all users
who can log in already know your root password (such as on a dedicated
server machine), you are not any further at risk due to having
/dev/*mem world readable.

Note that if the filesystem /dev is on is mounted from any other
machine, that other machine may well have been equally compromised,
even if the mount was done read-only.  (But not if it was done nodev.)

Can anyone provide me with information on how to exploit a mismatched
perm on mem/kmem (if any)?


I don't have an exploit script, if that's what you want; I've never had
occasion to construct one.  However, I've done enough (run-as-root)
kmem readers that if I had the incentive and access to the relevant .h
files, I could probably build a program that spies on your tty input
buffers pretty quickly.  (I'd do it now, but I have too many other
things to do first.)

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu

Current thread:

/dev/{km,m}em worries rickt () gnu ai mit edu (May 17)
- Re: /dev/{km,m}em worries Rob Quinn (May 17)
- <Possible follow-ups>
- Re: /dev/{km,m}em worries H Morrow Long (May 17)
- Re: /dev/{km,m}em worries Bruce Barnett (May 17)
- Re: /dev/{km,m}em worries der Mouse (May 17)
- Re: /dev/{km,m}em worries Jim Thompson (May 17)
  - Re: /dev/{km,m}em worries (now crash ) Chris Phillips (May 18)
- Re: /dev/{km,m}em worries Pete Hartman (May 17)
  - Re: /dev/{km,m}em worries Bill Bogstad (May 17)
- Re: /dev/{km,m}em worries Jim Thompson (May 17)
- Re: /dev/{km,m}em worries der Mouse (May 17)