On Thu, Oct 19, 2006 at 12:33:28PM -0700, Douglas Phillipson wrote:
> Can a non-root or even a root owned process access the swap space.
non-root: no. (unless the user is a member of group 'disk' -- which by
default, no user should be)
root: yes, but at that point, you've lost anyway, and there are far
more fun things to do than scribble on swap space.
I'm not 100% certain, but SELinux may also add an additional restriction
to who can touch raw disks. You may need policy adjustments if you're
running in enforcing mode. It's certainly doable, I'm just not sure
if our current policy enforces this.
> file on Windows which probably makes it easier than Linux. Swap on
> Linux typically is a unformatted file system, but can be a file in the
> file system if desired.
That file won't be writable by anyone other than root.
The key phrase in that pdf is this..
"Vista allows usermode app to get raw access to disk"
G A M E O V E R .
This is pretty damned amazing that they haven't considered this a
fundamental security problem, as it bypasses any form of access controls
that are placed on files, allowing for all sorts of fun even without
owning the box as described in this paper.
> As I understand the exploit, Microsoft has
> implemented a policy with Vista that only drivers "Signed" by Microsoft
> can be installed on Vista. This "Paging" exploit completely bypasses
> this requirement, easily.
The whole notion of pagable device drivers is utter lunacy to begin with.
Combined with the above brain damage, it's trivially exploitable, and
unless they fix this before GA, I wouldn't be surprised if a whole slew
of malware starts abusing this.
Dave
--
http://www.codemonkey.org.uk
