[Bug 18520] New: reading memory via /dev/sdX

bugzilla-daemon at bugzilla.ubuntu.com bugzilla-daemon at bugzilla.ubuntu.com
Wed Oct 26 19:14:23 UTC 2005 

Please do not reply to this email.  You can add comments at
http://bugzilla.ubuntu.com/show_bug.cgi?id=18520
Ubuntu | linux

           Summary: reading memory via /dev/sdX
           Product: Ubuntu
           Version: unspecified
          Platform: i386
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: linux
        AssignedTo: ben.collins at ubuntu.com
        ReportedBy: ubuntu at juerd.nl
         QAContact: kernel-bugs at lists.ubuntu.com


I had this very weird problem, and it took a few hours before I realised what
was happening.

Trying to salvage a broken hard disk that wouldn't let any machine boot up while
plugged in, I connected it to a USB mass storage enclosure. This appeared to
work well: the drive was recognised, with size correct.

I could even read from it! less -f confirmed that it was readable. There were no
errors.

Obviously, very happily I started backing things up immediately: dd if=/dev/sda
of=/mnt/somedisk/image

The file was as large as I expected it to be, namely the size of the hard disk:
60 GB. Good! It worked.

Now to read it again. But it didn't have a partition table. Or anything
recognisable as a partition. I could see lots of recognisable things in it,
though. But wait, was this disk originally used for Linux? Hm, no, it should be
an NTFS disk used with Windows. I was looking at things that are closely related
to Linux, though.

I checked if I really was reading from the USB thing. Apparently I did: reading
made the LED light up, and it failed when the device was unplugged.

I didn't trust it, so I tried another computer, my laptop this time.

The content had changed! I was seeing... hey, curious, names of sites I had been
visiting, with my laptop. And my bank account number, with the latest
transactions, in chunks of HTML.

This wasn't on the disk! This was in my laptop's memory! Still, though, this
device would allow reading exactly as many bytes as there were on the hard
drive, and the activity LED would happily blink along.

This must be a bug in any of the drivers involved in reading USB mass storage
devices.

To verify: I did a chmod 666 /dev/sdb (my laptop has sda for its internal hard
drive, so the USB drive got sdb), and as a normal user, who can't even sudo, I
was able to read parts of the system memory. Including several passwords.

I believe that this should be classified as a security bug. Any user with
physical access to the machine can plug in an USB device, and everything from
then is automatic.

Unfortunately, the drive belongs to a client, and I had to return it. Because of
the sensitive nature of the data found in my memory, I can also not disclose any
data that came from the sdX devices.

I have a few broken hard drives here, and will try to reproduce the bug soon,
hoping the way the drive is broken does not matter much.

In case it's important, this was tested with several Ubuntu machines (several
versions), the USB IDE controller in question is originally an external Maxtor
200 GB drive, but now had a Maxtor 60 GB drive in it.

-- 
Configure bugmail: http://bugzilla.ubuntu.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.

More information about the kernel-bugs mailing list