Is your RAM chained to your servers?

Today I came across a rather interesting post regarding plain text passwords and their presence in Linux memory…

Sherri Davidoff over at www.philosecurity.org speaks of how she was able to recover various passwords from Linux memory, these passwords included the Linux root password, email, IM, SSH and Truecrypt passwords. After reading this I decided to see if I could achieve similar results. Using nothing but pcat (Part Of The Coroners Toolkit), dd and ghex, I was able to recover various passwords including, root, SSH, email, and MSN (using the pidgin MSN client) passwords.

To recover an SSH password, I used the following test procedure…

1) Boot Linux Fedora 9 system

2) SSH into remote system

3) Execute the dd command to dump memory to a file:

[root@plutolin bin]# dd if=/dev/mem of=/home/user1/Desktop/tct/tct-1.18/bin/mem.bin bs=1024

I found that using the exact same technique I was able to recover root passwords that had recently been entered after using the su command. Below is a screenshot of  a recovered root password ‘rootpass’.

What makes this alarming is some research that has recently come out of Princeton’s Center for Information Technology Policy, in which it was discovered that data stored on DRAM could actually be accessed after a system has been powered down and the DRAM removed from the motherboard. This research shows that “data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system”.

In fact, if DRAM chips are cooled to -50°C data can be retained on the chips for tens of minutes if not more. When cooled down to -196°C it was observed that chips retained data for hours, without any appreciable data loss.

To read Sherri’s post please visit http://philosecurity.org/research/cleartext-passwords-linux

For more Information on ‘Cold Boot Attacks’ and how data can be recovered from DRAM after power has been removed visit http://citp.princeton.edu/memory/

Advertisements

~ by networkingza on August 1, 2008.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: