Re: /proc/*/mem and mmap() security hole?
Brian Gerst (bgerst@quark.vpplus.com)
Thu, 08 Jan 1998 19:10:23 -0500
Andrej Presern wrote:
>
> Hello
>
> While working on a project I learned that a process can
> mmap() another process' address space (owned by the same
> user) via /proc/pid/mem. Now it makes me wonder if there
> is a way a process can prevent some other process from
> accessing any of its address space. Not being able to do
> so would open up a potential security hole that would
> enable the superuser to extract the information that is
> supposed to stay private by mmap()ing the address space
> of an intresting process into its own and examining (and
> possibly modifying) it.
>
> While an evil superuser could do this in some other way
> anyway (for example by substituting the original program
> with a hacked version that loggs intresting information),
> on a normal system, the superuser will not do a thing like
> that. But if the system is compromised this feature opens
> the intruder a whole new way of possibilities. since
> no files need to be modified (which would trigger tripwire)
> in order to get the thing done.
>
> I can think of a whole range of possible attacks using
> this, such as capturing user passwords by dumping the
> login's address space or creating a virtually undetectable
> backdoor by modifying (or even replacing) some system
> process. This kind of attacks would not trivial ofcourse,
> but instead of being nontrivial to implement I'd prefer
> them not to be possible at all.
>
> Can someone with more in-depth knowledge please shed a light
> on this?
>
> Andrej
It's not much different than mmap'ing /dev/mem or /dev/kmem.
--
Brian Gerst