There's an interesting caveat to the Honeyman paper, "Hijacking,
AFS", which was mentioned earlier on this mailing list:
>Hijacking AFS
>P. Honeyman, L.B. Huston, M.T. Stolarchuk
>ftp.sage.usenix.org:/pub/usenix/winter92/hijacking-afs.ps.Z
Honeyman and his team used root access to examine /dev/mem and
/dev/kmem, searching for information in an elaborate scheme that
ultimately allowed them to steal a victim's tickets and gain access to
to the victim's protected file space.
The Honeyman paper neglects to mention, however, is that AFS 3.0,
the version attacked, wasn't designed to be multiuser safe, in that any
user wishing to steal another's tokens could do so merely by faking the
Unix UID: attacker becomes root, types "su victim" and thereby
acquires the victim's tokens, allowing him to issue any authenticated
commands that the victim can.
In reading the Honeyman paper, I was reminded of a Mark Twain story
in which Huck tries to rescue a friend who's arm has been handcuffed to
a wooden bedpost. Huck saws the bedpost in half, removes the handcuff,
then cleans the evidence by eating the sawdust and applying
brown shoe polish the severed bedpost junction. (Huck and his friend
could have escaped more easily by lifting the handcuffs up over the
bedpost).
Honeyman briefly states that "root" is not required to search
/dev/mem and /dev/kmem. But one would think that if a victim's
memory could be searched with abandon, that in a real-word situation,
one could much more easily find and use a password than identify and
extract tickets from kernel memory and re-write AFS kerberos utilities
with forged information to spoof the servers.
-Bob
Follow-Ups:
|
|
