oss-sec mailing list archives

Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC)

From: Vasiliy Kulikov <segoon () openwall com>
Date: Wed, 29 Jun 2011 22:03:04 +0400

Hi,

One more thing, this is more dangerous, but very conditional.

Create one system account with no files (a victim).  This simplifies
measurements.

As an attacker:
    Start taskstats listener in the background.
    Swith to tty1, push SAK to kill current login task.
    Enter some fake username and password, e.g. 1:1.
    The login fails, of course.

Now the attacker hides and the victim comes to tty1.
    He enters his username:password.
    The login succeeds from the first try.
    The victim exits from the shell.

Attacker measures login's read_characters value.  The victim has to
succeed from the first try and shouldn't push SAK :)

Now the attacker has to increment the fake password length (incrementing
the resulted read_characters of the dead login task) and wait for
the successful victim's login.  After ~log2(1024) tries (binary search)
he learns precise password length.


As exiting "login" just waits for the child to exit to call
pam_close_session(), victim's activity doesn't really add any noise.

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Current thread:

Re: CVE request: kernel: taskstats/procfs io infoleak, (continued)
- - - Re: CVE request: kernel: taskstats/procfs io infoleak Eugene Teo (Jun 26)
    - Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Linus Torvalds (Jun 26)
    - Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Andrew Morton (Jun 28)
    - Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Linus Torvalds (Jun 28)
    - Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Linus Torvalds (Jun 28)
    - Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 29)
    - Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 29)
    - Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 29)
    - Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Linus Torvalds (Jun 29)
    - Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 29)
    - Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 29)
    - Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Vasiliy Kulikov (Jun 29)
    - Re: CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Josh Bressers (Jun 28)
    - Re: CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Eugene Teo (Jun 28)