[709] in bugtraq
Re: Hijacking tool
daemon@ATHENA.MIT.EDU (Darren Reed)
Mon Jan 23 19:49:59 1995
From: Darren Reed <avalon@coombs.anu.edu.au>
To: jim@Tadpole.COM
Date: Tue, 24 Jan 1995 10:31:21 +1100 (EDT)
Cc: bugtraq@fc.net, cklaus@iss.net, firewalls@GreatCircle.COM, cert@cert.org
In-Reply-To: <9501232236.AA17724@chiba> from "jim@Tadpole.COM" at Jan 23, 95 04:36:49 pm
>
> > There is a tool floating around called TAP which is a kernel mod that
> > allows you to easily watch streams on SunOs, and capture what a person
> > is typing. It is easy to modify so that you could actually write to
> > the stream thus emulating that person and hijacking their terminal
> > connection.
> >
> > To load the modules, the intruder does a modload to add the module to
> > the kernel. One way to detect the hijacking tool is to do a
> >
> > modstat
> >
> > and see if there is any unfamiliar modules loaded. An intruder could trojan
> > modstat so it might be worthwhile to check the integrity of modstat.
>
> If the 'cracker' has enough access to modload the code of his or her
> choosing into your machine, you have no security.
>
> That is to say, anyone who can modload the code is *already* root, and
> could with enough care and patience, just read the data out of the kernel
> streams buffers using, oh, adb, or even 'crash'.
[...]
In the more recent versions of 'BSD based operating systems based on
4.4-Lite, with the kernel security level stuff, I believe it is not
possible to load a kernel module after it has left single user mode.
Does anyone know of a hack to SunOS which affords the same kind of
`protection' ? Of course, /dev/kmem & /dev/mem would need to become
read-only devices too...
Darren
