Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Linux OpenExchange - cleartext rootpw in swap

from [Rainer Duffner] Network Security [Permanent Link]
Subject: Re: Linux OpenExchange - cleartext rootpw in swap
Date: Tue, 31 Aug 2004 20:48:50 +0200 (CEST) 
On Di, 31.08.2004, 10:11, Rene sagte:



date: 31.08.2004
author: l0om   -  l0om [at] excluded dot org - www.excluded.org
discovered in: SuSE Linux Openexchange Server 4
problem: cleartext rootpw in swap caused by fergotten "mlock" or wiping
out memory


hi,

i have noticed my root password flying around on my swap in cleartext.
an attacker who has successfully rooted a box can get the cleartext
password from the swap device.

i dont know if this is caused by some SuSE mistake at the web login- maybe
its a fault in openldap.
i dont know exactly where this is caused.



Well, if the server is "rooted", as you like to put it, there's little
point in gaining the root-password anyway, isn't it ?
You can do pretty much everything, except login as the administrator-user
via the web-interface. Being able to scratch the root-pw out of swap is
just a bonus, if you ask me.

It would be bad, if a non-priviledged user had access to the swap-partition.
On the two SLOXs I have access to, the swap-partition is only
group-readable by the "disk" group.
Or is there some other way of reading the swap-partition ?

If not, this is not a big concern to me (and we run and support some of
these for various customers).

If, OTOH, you had talked about the empty password for the SLOX'
postgres-database.... that would be something completely different (TM).




cheers,
Rainer
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  MITKRB5-SA-2004-003: ASN.1 decoder denial-of-service, Tom Yu
Next by Date:  Diebold Global Election Management System (GEMS) Backdoor Account Allows Authenticated Users to Modify Votes, Jérôme
Previous by Thread:  MITKRB5-SA-2004-003: ASN.1 decoder denial-of-service, Tom Yu
Next by Thread:  Re: Linux OpenExchange - cleartext rootpw in swap, Valdis . Kletnieks
Indexes:  [Date] [Thread] [Top] [All Lists]