Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Jun 2011 22:03:04 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
	oss-security@...ts.openwall.com, security@...nel.org
Subject: Re: [Security] CVE request: kernel: taskstats/procfs io infoleak
 (was: taskstats authorized_keys presence infoleak PoC)

Hi,

One more thing, this is more dangerous, but very conditional.

Create one system account with no files (a victim).  This simplifies
measurements.

As an attacker:
    Start taskstats listener in the background.
    Swith to tty1, push SAK to kill current login task.
    Enter some fake username and password, e.g. 1:1.
    The login fails, of course.

Now the attacker hides and the victim comes to tty1.
    He enters his username:password.
    The login succeeds from the first try.
    The victim exits from the shell.

Attacker measures login's read_characters value.  The victim has to
succeed from the first try and shouldn't push SAK :)

Now the attacker has to increment the fake password length (incrementing
the resulted read_characters of the dead login task) and wait for
the successful victim's login.  After ~log2(1024) tries (binary search)
he learns precise password length.


As exiting "login" just waits for the child to exit to call
pam_close_session(), victim's activity doesn't really add any noise.

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ