Kmem security (was: Re: How do you make your UNIX crash ???)

[Rick Kelly]

In article <1991Apr8.213109.1949 at mailer.cc.fsu.edu> boyd at nu.cs.fsu.edu writes:
>In article <638 at minya.UUCP>, jc at minya.UUCP (John Chambers) writes:

>>> Safer would be:
>>> strings /dev/kmem | tr ' ' '^J' | sort -u | more
>>> and do a /rootpassword

>>OK; that didn't crash the system; I just got a few random-looking strings,
>>followed by::
>>	/rootpassword: Command not found.
>>What was it supposed to do?  Maybe I'm not a real Unix hacker, after
>>all; I haven't even heard of a "rootpassword" command.  Am I missing
>>something good?  I also looked around on some of the BSD and Ultrix
>>systems at work, and there was nothing called "rootpassword" anywhere
>>in any of their filesystems.


>This was to invoke a search for the string "rootpassword" in more.  It is 
>not a standalone command, it is a modifier within more.  It could be argued
>that it is one of the more useful features of more.  My question is why
>the string "rootpassword" would be anywhere (perhaps the poster intended
>for the real root password to be substituted, just to show how easy it 
>can be found.  A potential intruder would have to try all the strings 
>found, but this is still a drastically reduced searchspace). 



One avenue is to search for "root" or any other login in memory in such a
way that you know it's offset in /dev/kmem.  Do an ASCII dump of kmem at
that offset, and you will soon find the password.

I have done this, but for obvious reasons I leave this as an exercise for
the reader.


Rick Kelly	rmk at rmkhome.UUCP	frog!rmkhome!rmk	rmk at frog.UUCP