Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hijacking tool

From: avalon () coombs anu edu au (Darren Reed)
Date: Tue, 24 Jan 1995 10:31:21 +1100 (EDT)




There is a tool floating around called TAP which is a kernel mod that
allows you to easily watch streams on SunOs, and capture what a person
is typing.  It is easy to modify so that you could actually write to
the stream thus emulating that person and hijacking their terminal 
connection.  

To load the modules, the intruder does a modload to add the module to
the kernel.  One way to detect the hijacking tool is to do a

    modstat

and see if there is any unfamiliar modules loaded.  An intruder could trojan
modstat so it might be worthwhile to check the integrity of modstat.


If the 'cracker' has enough access to modload the code of his or her
choosing into your machine, you have no security.

That is to say, anyone who can modload the code is *already* root, and
could with enough care and patience, just read the data out of the kernel
streams buffers using, oh, adb, or even 'crash'.

[...]

In the more recent versions of 'BSD based operating systems based on
4.4-Lite, with the kernel security level stuff, I believe it is not
possible to load a kernel module after it has left single user mode.
Does anyone know of a hack to SunOS which affords the same kind of
`protection' ?  Of course, /dev/kmem & /dev/mem would need to become
read-only devices too...

Darren
Previous By Date Next
Previous By Thread Next

Current thread: