Date: Wed, 29 Jun 2011 22:03:04 +0400 From: Vasiliy Kulikov <segoon@...nwall.com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Andrew Morton <akpm@...ux-foundation.org>, oss-security@...ts.openwall.com, security@...nel.org Subject: Re: [Security] CVE request: kernel: taskstats/procfs io infoleak (was: taskstats authorized_keys presence infoleak PoC) Hi, One more thing, this is more dangerous, but very conditional. Create one system account with no files (a victim). This simplifies measurements. As an attacker: Start taskstats listener in the background. Swith to tty1, push SAK to kill current login task. Enter some fake username and password, e.g. 1:1. The login fails, of course. Now the attacker hides and the victim comes to tty1. He enters his username:password. The login succeeds from the first try. The victim exits from the shell. Attacker measures login's read_characters value. The victim has to succeed from the first try and shouldn't push SAK :) Now the attacker has to increment the fake password length (incrementing the resulted read_characters of the dead login task) and wait for the successful victim's login. After ~log2(1024) tries (binary search) he learns precise password length. As exiting "login" just waits for the child to exit to call pam_close_session(), victim's activity doesn't really add any noise. -- Vasiliy Kulikov http://www.openwall.com - bringing security into open computing environments
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ