Re: Hijacking tool

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Mark Crother: "CIAC Advisory F-08: IP Address Spoofing and Hijacked Session Attacks (fwd)"
• Previous message: jim@Tadpole.COM: "Re: Hijacking tool"
• In reply to: jim@Tadpole.COM: "Re: Hijacking tool"
• Next in thread: Paul Ferguson: "Re: Hijacking tool"

> 
> > There is a tool floating around called TAP which is a kernel mod that
> > allows you to easily watch streams on SunOs, and capture what a person
> > is typing.  It is easy to modify so that you could actually write to
> > the stream thus emulating that person and hijacking their terminal 
> > connection.  
> > 
> > To load the modules, the intruder does a modload to add the module to
> > the kernel.  One way to detect the hijacking tool is to do a
> > 
> > 	modstat
> > 
> > and see if there is any unfamiliar modules loaded.  An intruder could trojan
> > modstat so it might be worthwhile to check the integrity of modstat.
> 
> If the 'cracker' has enough access to modload the code of his or her
> choosing into your machine, you have no security.
> 
> That is to say, anyone who can modload the code is *already* root, and
> could with enough care and patience, just read the data out of the kernel
> streams buffers using, oh, adb, or even 'crash'.
[...]

In the more recent versions of 'BSD based operating systems based on
4.4-Lite, with the kernel security level stuff, I believe it is not
possible to load a kernel module after it has left single user mode.
Does anyone know of a hack to SunOS which affords the same kind of
`protection' ?  Of course, /dev/kmem & /dev/mem would need to become
read-only devices too...

Darren

• Next message: Mark Crother: "CIAC Advisory F-08: IP Address Spoofing and Hijacked Session Attacks (fwd)"
• Previous message: jim@Tadpole.COM: "Re: Hijacking tool"
• In reply to: jim@Tadpole.COM: "Re: Hijacking tool"
• Next in thread: Paul Ferguson: "Re: Hijacking tool"