On Thu, Jan 12, 2012 at 12:00, Jonathan Neusch?fer [off-list ref]wrote:

On Wed, Jan 11, 2012 at 12:52:33PM -0500, Scott Lovenberg wrote:

quoted

Real world example in C; I fixed a security bug in Samba that dealt with
this exact problem.  Credential files were read to memory as the root

user

quoted

and then the memory was freed without being zeroed.  A user could

therefore

quoted

read the contents of a file that they didn't have permission to read
because the whole thing was put in memory by a user that had permission

to

quoted

view the file.  Someone clever could churn through memory and find the
credentials if they knew that the mount command was just run.

I added a memset() to the end of the parsing function to zero out the
memory before freeing back to the OS.

Could you please clarify how this "churning through memory" would work?

Of course someone could find another security bug and access heap space,
but that requires said other bug. Debuggers are also irrelevant to this,
because you need certain parmissions to run a program through a
debugger, and if you do that, you might also set a breakpoint in the
function and catch the credentials when it's run.

Swap disk are a real issue under some circumstances, though.
A page containing sensitive data may be swapped out and not be over-
written before an attacker can boot from an external medium (CD etc.)
and peek through the swap disk.
If you don't suspend (which means writing all pages to persistent
storage), mlock() would be the solution here (CMIIW). (Which doesn't
mean zeroing isn't also a good idea)

Of course, people should also encrypt their disks on this kind of server.

Thanks,
        Jonathan Neusch?fer

Sorry for taking so long to reply.

Let me walk you guys through how this bug could be exploited.
The file that you want to access is blocked from you by file system
permissions.  The root user (uid==0) can access this file (that contains
credentials) and read it into memory that it has malloc()'ed.  After the
process running as root is done, it free()'s the memory without zeroing it
out.  Now you (you clever hacker) spawn a process that requests memory in
large hunks.  It then searches for the string "password=" in that memory.
 Since the memory was free()'ed back to the pool without being changed, it
still contains the original information that was in the file that you
cannot read.  Does this make sense, or should I go into t a bit more detail?


-- 
Peace and Blessings,
-Scott.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20120116/db40fcba/attachment.html