Linux Coredumps: A Goldmine for Hackers

[00:00:00]This is a list of core dumps on my machine. They may not be interesting for us, but attackers can look into this and find confidential information such as passwords.

[00:00:12]In this video, I will share with you the basics of core dumps and how hackers extract data from them. When a program crashes, the kernel captures its memory and dumps it onto disk, but this depends on the signal being intercepted by the kernel. Here are some examples.

[00:00:28]First is when a program encounters a segmentation fault, meaning it tried to access an invalid memory location.

[00:00:35]Another one is abort. This is a voluntary crash made by the program to kill itself and prevent further damage to the system. We also have floating point exception issues, which happen when the mathematical operation is impossible to perform. The next one is illegal instruction, which is very low-level. This means the CPU tries to execute an invalid or forbidden instruction. Last one is about faulty hardware access, which is something rare for most of us.

[00:01:00]Once the kernel intercepts the right signal, it will hand off the program's memory to systemd. Here is the process.

[00:01:09]First, the program crashes.

[00:01:12]The kernel then intercepts and, based on the signal, decides whether to create a core dump or not. If it needs to, it will pipe the memory to systemd core dump facility.

[00:01:20]Once systemd takes control, it will extract metadata and dump a compressed file inside this directory.

[00:01:27]To see the core dumps, we will run the following command.

[00:01:33]There is quite a lot in my machine, and it shows me that picom is regularly crashing, so I might need to check it sometime. We have here the time of the crash, the process ID, UID, and signal.

[00:01:44]It also tells us that the core file is missing. That happens if it is too large or it doesn't obey the restrictions on the core dump configuration file. Kernel imposes restrictions since it cannot generate dumps for all crashing processes. It can be process intensive or may consume a lot of disk space.

[00:02:01]Going down, we see some recent crashes.

[00:02:03]Unlike the first ones, this Python program has a core file present, and it is not too large.

[00:02:09]Once attacker sees this, he can easily extract data from it.

[00:02:13]To extract data from the core file, we will use same command.

[00:02:19]We will dump the PID and put into a file.

[00:02:25]The reason we are doing it like this is because the original core files are in compressed format, so we need to convert them to something readable.

[00:02:33]After we dump it, we will see several information. In the command line section, we see an exposed password.

[00:02:41]This is a demo application I wrote to simulate a crashing app. This means sometimes attackers don't even need to read the whole core file. They can just look into the command line parameters.

[00:02:51]If there is nothing useful there, then that is the time that we need to read the dump we just created.

[00:03:00]From here, aside from passwords, we can easily see configurations and other secrets.

[00:03:07]As we learned in this video, crashing applications can be valuable to attackers. So, if you are developing an application, you must take into consideration how your program crashes and whether a core file will be generated during those times. I hope you learned something today. If you find my content valuable, please support me by liking this video and subscribing to my channel. See you on the next one.