[9776] in bugtraq
Group kmem exploitable?
daemon@ATHENA.MIT.EDU (Oliver Xymoron)
Tue Feb 23 21:35:16 1999
Date: Tue, 23 Feb 1999 13:37:32 -0600
Reply-To: Oliver Xymoron <oxymoron@WASTE.ORG>
From: Oliver Xymoron <oxymoron@WASTE.ORG>
To: BUGTRAQ@NETSPACE.ORG
With all the back and forth about whether kmem is writable or not, I think
it might be worth pointing out that with read access to /dev/mem and
/dev/kmem, it's certainly possible to snoop passwords. Though technically
challenging, there's no reason you can't parse the process tables,
etc. to figure out the exact location of the buffer being used to store a
password as it's being typed. Despite being an asynchronous procedure and
basically being a huge race, people type their passwords pretty slowly.
Finding whether a process has libpam mapped and whether or not it's
currently in the password entry procedure, etc. doesn't take too long..
Convincing root he needs to type his password is a comparatively small
exercise in social engineering.
--
"Love the dolphins," she advised him. "Write by W.A.S.T.E.."
