Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] COSEINC Linux Advisory #1: Linux Kernel Parent Process

from [Wojciech Purczynski] Network Security [Permanent Link]
Subject: [Full-disclosure] COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
Date: Tue, 14 Aug 2007 17:17:14 +0200 (CEST) 

===[ ABSTRACT ]=========================================================

An unprivileged local user may send arbitrary signal to a child process
despite security restrictions.


===[ AFFECTED SOFTWARE ]================================================

Linux 2.6
Linux 2.4

For the exact kernel version please refer to an information provided by
your vendor.


===[ DESCRIPTION ]======================================================

Typically unprivileged user can not send signal to processes running
with different UID. Due to vulnerability found in the Linux kernel any
local user may bypass security restrictions and send arbitrary signal to
any child process executed by the user.

When a parent process dies or exits its child processes may receive a
signal.  Each child process may choose and set its own "parent process
death signal" using PR_SET_PDEATHSIG function of the prctl() system
call.

        PARENT          CHILD
        ----------------------------------------------------------------
        fork()
                        prctl(PR_SET_PDEATHSIG)
        exit()'ed or killed
                        child receives the signal

The parent process death signal is not reset over execve() system call
and is inherited by spawned process:

        PARENT          CHILD
        ----------------------------------------------------------------
        fork()
                        prctl(PR_SET_PDEATHSIG)
                        execve("./a.out")
        exit()'ed or killed
                        child receives the signal

The signal gets delivered only if parent process has sufficient
privileges to send signals to child processes. Typically any child
process running with higher privilege than its parent will receive no
signal.

        PARENT          CHILD
        ----------------------------------------------------------------
        fork()
                        prctl(PR_SET_PDEATHSIG)
                        execve("/bin/setuid-binary")
        exit()'ed or killed
                        child receives NO signal this time

However, above restriction may be bypassed if parent process execute
setuid-root binary which dies afterwards.

        PARENT          CHILD
        ----------------------------------------------------------------
        fork()
                        prctl(PR_SET_PDEATHSIG)
                        execve("/bin/setuid-binary")
        execve("/bin/setuid-binary")
        exit()'ed or killed
                        privileged process receives the signal


===[ DISCLOSURE TIMELINE ]==============================================

27th July 2007          Vendor notification
14th August 2007        Public disclosure


===[ AUTHOR ]===========================================================

Wojciech Purczynski <cliph@research.coseinc.com>

Wojciech Purczynski is a Security Researcher at Vulnerability Research
Labs, COSEINC PTE Ltd. Wojciech Purczynski is also a member of iSEC
Security Research.


===[ LEGAL DISCLAIMER ]=================================================

Copyright (c) 2006,2007 Wojciech Purczynski
Copyright (c) 2007 COSEINC PTE Ltd.

All Rights Reserved.

PUBLISHING, DISTRIBUTING, PRINTING, COPYING, SCANNING, DUPLICATING IN
ANY FORM, MODIFYING WITHOUT PRIOR WRITTEN PERMISSION IS STRICTLY
PROHIBITED.

THE DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. THE
CONTENT MAY CHANGE WITHOUT NOTICE. IN NO EVENT SHALL THE AUTHORS BE
LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, INJURIES,
LOSSES OR UNLAWFUL OFFENCES.

USE AT YOUR OWN RISK.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  rPSA-2007-0157-1 firefox thunderbird, rPath Update Announcements
Next by Date:  [Full-disclosure] ZDI-07-046: Microsoft Windows Media Player Skin Parsing Size Mismatch Heap Overflow Vulnerability, zdi-disclosures
Previous by Thread:  rPSA-2007-0157-1 firefox thunderbird, rPath Update Announcements
Next by Thread:  Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability, Wojciech Purczynski
Indexes:  [Date] [Thread] [Top] [All Lists]