Yeah, it is the countermeasure of a similar secure risk. But I know little about Samba, and could you explain more precisely about how the attacker seek the credentials? That is exactly what I want to test but failed...<div>
<br></div><div>Thanks!<br><br><div class="gmail_quote">2012/1/12 Scott Lovenberg <span dir="ltr"><<a href="mailto:scott.lovenberg@gmail.com">scott.lovenberg@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br><br><div class="gmail_quote"><div><div class="h5">On Wed, Jan 11, 2012 at 11:45, Dave Hylands <span dir="ltr"><<a href="mailto:dhylands@gmail.com" target="_blank">dhylands@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<div><br>
On Wed, Jan 11, 2012 at 4:53 AM, ÏÄÒµÌí <<a href="mailto:summerxyt@gmail.com" target="_blank">summerxyt@gmail.com</a>> wrote:<br>
> Hi,<br>
> My tutor asked me to test whether one process leaves information in<br>
> memory after it is dead. I tried to search some article about such thing on<br>
> the Internet but there seems to be no one discuss about it. And after that,<br>
> I tried to write some program in the User Mode to test it, using fork() to<br>
> create lots of processes and filling char 'a' into a 102400 bytes char array<br>
> in each process. Then I used malloc() to get some memory to seek char 'a' in<br>
> a new one process or many new processes, but failed. All memory I malloced<br>
> was full of zero.<br>
<br>
</div>Yeah - so if it were possible for one process to get information about<br>
another process like that you would have a security leak.<br>
<div><br>
> As the man page of malloc said:"The memory is not initialized", I believe<br>
> that the memory which was got by malloc() could be used by other process,<br>
> and therefor information leakage exists. But how can I test it? Or where can<br>
> I get related information?<br>
<br>
</div>All pages allocated from the OS will be initially zero'd, however,<br>
once your process owns the page, if you filled it with Z's and then<br>
freed it and reallocated you might very weill get your Z's back<br>
instead of 0's. You'll never get data from another process though.<br></blockquote><div> </div></div></div><div>Real world example in C; I fixed a security bug in Samba that dealt with this exact problem. Credential files were read to memory as the root user and then the memory was freed without being zeroed. A user could therefore read the contents of a file that they didn't have permission to read because the whole thing was put in memory by a user that had permission to view the file. Someone clever could churn through memory and find the credentials if they knew that the mount command was just run. </div>
<div><br></div><div>I added a memset() to the end of the parsing function to zero out the memory before freeing back to the OS.</div><div><a href="http://git.samba.org/?p=cifs-utils.git;a=commitdiff;h=6c917ebf360b3dbbc4c7ad9af3e106170528aa3c" target="_blank">http://git.samba.org/?p=cifs-utils.git;a=commitdiff;h=6c917ebf360b3dbbc4c7ad9af3e106170528aa3c</a> (you can skip to the end of the patch if you don't want to follow the entire flow of the code)</div>
<div><br></div><div>Does this help express the idea any better?</div></div><span class="HOEnZb"><font color="#888888">-- <br>Peace and Blessings,<br>-Scott.<br><br>
</font></span></blockquote></div><br></div>