Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 29 Jun 2011 22:03:04 +0400
From: Vasiliy Kulikov <>
To: Linus Torvalds <>
Cc: Andrew Morton <>,,
Subject: Re: [Security] CVE request: kernel: taskstats/procfs io infoleak
 (was: taskstats authorized_keys presence infoleak PoC)


One more thing, this is more dangerous, but very conditional.

Create one system account with no files (a victim).  This simplifies

As an attacker:
    Start taskstats listener in the background.
    Swith to tty1, push SAK to kill current login task.
    Enter some fake username and password, e.g. 1:1.
    The login fails, of course.

Now the attacker hides and the victim comes to tty1.
    He enters his username:password.
    The login succeeds from the first try.
    The victim exits from the shell.

Attacker measures login's read_characters value.  The victim has to
succeed from the first try and shouldn't push SAK :)

Now the attacker has to increment the fake password length (incrementing
the resulted read_characters of the dead login task) and wait for
the successful victim's login.  After ~log2(1024) tries (binary search)
he learns precise password length.

As exiting "login" just waits for the child to exit to call
pam_close_session(), victim's activity doesn't really add any noise.

Vasiliy Kulikov - bringing security into open computing environments

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ