Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hijacking tool

From: jim () Tadpole COM (jim () Tadpole COM)
Date: Mon, 23 Jan 1995 16:36:49 -0600


There is a tool floating around called TAP which is a kernel mod that
allows you to easily watch streams on SunOs, and capture what a person
is typing.  It is easy to modify so that you could actually write to
the stream thus emulating that person and hijacking their terminal 
connection.  

To load the modules, the intruder does a modload to add the module to
the kernel.  One way to detect the hijacking tool is to do a

      modstat

and see if there is any unfamiliar modules loaded.  An intruder could trojan
modstat so it might be worthwhile to check the integrity of modstat.


If the 'cracker' has enough access to modload the code of his or her
choosing into your machine, you have no security.

That is to say, anyone who can modload the code is *already* root, and
could with enough care and patience, just read the data out of the kernel
streams buffers using, oh, adb, or even 'crash'.

Since 'crash' comes SGID kmem (on SunOS) or SGID sys (Solaris), you may
already have this problem.

Jim

P.S. To my detractors on the NFS over TCP on Solaris issue, suggest you
read the man page for nfsd, and then look at the arguements passed by
default when your machine started its nfsd.  Just because udp is the
default doesn't mean that TCP doesn't work.
Previous By Date Next
Previous By Thread Next

Current thread: