Yeah, it is the countermeasure of a similar secure risk. But I know little about Samba, and could you explain more precisely about how the attacker seek the credentials? That is exactly what I want to test but failed...
Thanks! 2012/1/12 Scott Lovenberg <scott.lovenb...@gmail.com> > > > On Wed, Jan 11, 2012 at 11:45, Dave Hylands <dhyla...@gmail.com> wrote: > >> Hi, >> >> On Wed, Jan 11, 2012 at 4:53 AM, 夏业添 <summer...@gmail.com> wrote: >> > Hi, >> > My tutor asked me to test whether one process leaves information in >> > memory after it is dead. I tried to search some article about such >> thing on >> > the Internet but there seems to be no one discuss about it. And after >> that, >> > I tried to write some program in the User Mode to test it, using fork() >> to >> > create lots of processes and filling char 'a' into a 102400 bytes char >> array >> > in each process. Then I used malloc() to get some memory to seek char >> 'a' in >> > a new one process or many new processes, but failed. All memory I >> malloced >> > was full of zero. >> >> Yeah - so if it were possible for one process to get information about >> another process like that you would have a security leak. >> >> > As the man page of malloc said:"The memory is not initialized", I >> believe >> > that the memory which was got by malloc() could be used by other >> process, >> > and therefor information leakage exists. But how can I test it? Or >> where can >> > I get related information? >> >> All pages allocated from the OS will be initially zero'd, however, >> once your process owns the page, if you filled it with Z's and then >> freed it and reallocated you might very weill get your Z's back >> instead of 0's. You'll never get data from another process though. >> > > Real world example in C; I fixed a security bug in Samba that dealt with > this exact problem. Credential files were read to memory as the root user > and then the memory was freed without being zeroed. A user could therefore > read the contents of a file that they didn't have permission to read > because the whole thing was put in memory by a user that had permission to > view the file. Someone clever could churn through memory and find the > credentials if they knew that the mount command was just run. > > I added a memset() to the end of the parsing function to zero out the > memory before freeing back to the OS. > > http://git.samba.org/?p=cifs-utils.git;a=commitdiff;h=6c917ebf360b3dbbc4c7ad9af3e106170528aa3c > (you > can skip to the end of the patch if you don't want to follow the entire > flow of the code) > > Does this help express the idea any better? > -- > Peace and Blessings, > -Scott. > >
_______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies