Re: Does Linux process exist information leakage?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Yeah, it is the countermeasure of a similar secure risk. But I know little about Samba, and could you explain more precisely about how the attacker seek the credentials? That is exactly what I want to test but failed...

Thanks!

2012/1/12 Scott Lovenberg <scott.lovenberg@xxxxxxxxx>


On Wed, Jan 11, 2012 at 11:45, Dave Hylands <dhylands@xxxxxxxxx> wrote:
Hi,

On Wed, Jan 11, 2012 at 4:53 AM, 夏业添 <summerxyt@xxxxxxxxx> wrote:
> Hi,
>    My tutor asked me to test whether one process leaves information in
> memory after it is dead. I tried to search some article about such thing on
> the Internet but there seems to be no one discuss about it. And after that,
> I tried to write some program in the User Mode to test it, using fork() to
> create lots of processes and filling char 'a' into a 102400 bytes char array
> in each process. Then I used malloc() to get some memory to seek char 'a' in
> a new one process or many new processes, but failed. All memory I malloced
> was full of zero.

Yeah - so if it were possible for one process to get information about
another process like that you would have a security leak.

>    As the man page of malloc said:"The memory is not initialized", I believe
> that the memory which was got by malloc() could be used by other process,
> and therefor information leakage exists. But how can I test it? Or where can
> I get related information?

All pages allocated from the OS will be initially zero'd, however,
once your process owns the page, if you filled it with Z's and then
freed it and reallocated you might very weill get your Z's back
instead of 0's. You'll never get data from another process though.
 
Real world example in C; I fixed a security bug in Samba that dealt with this exact problem.  Credential files were read to memory as the root user and then the memory was freed without being zeroed.  A user could therefore read the contents of a file that they didn't have permission to read because the whole thing was put in memory by a user that had permission to view the file.  Someone clever could churn through memory and find the credentials if they knew that the mount command was just run.  

I added a memset() to the end of the parsing function to zero out the memory before freeing back to the OS.
http://git.samba.org/?p=cifs-utils.git;a=commitdiff;h=6c917ebf360b3dbbc4c7ad9af3e106170528aa3c  (you can skip to the end of the patch if you don't want to follow the entire flow of the code)

Does this help express the idea any better?
--
Peace and Blessings,
-Scott.


_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@xxxxxxxxxxxxxxxxx
http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
[Index of Archives]     [Newbies FAQ]     [Linux Kernel Mentors]     [Linux Kernel Development]     [IETF Annouce]     [Git]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux SCSI]     [Linux ACPI]
  Powered by Linux