Date: Fri, 29 Sep 2000 18:15:07 -0700 From: Alfred Perlstein <bright@wintelcom.net> To: freebsd-audit@freebsd.org Subject: ptrace may have a security flaw with reparenting Message-ID: <20000929181506.W27736@fw.wintelcom.net>
next in thread | raw e-mail | index | archive | help
I haven't had time to test nor do a complete audit, but a pretty good glance at the ptrace code makes it look like one can attach a process to another process. Here's how it looks like it may be possible: pid 100 forks child 101 pid X ptracte attaches to 101 pid X waits for pid 100 to exit and another unrelated (target) process to get the pid via wraparound pid X then detaches pid 101 is now attached to 100 but it shouldn't be! I'm not aware of any special capabilities gained from just being a child process of another process, however the simple problem is that now the false child can subvert the parent by exiting and leaving a return value that would confuse the parent. Assume setuid app 'foo' forks a child to do authentication and relies on the child returning success for positive auth, well now you have a race window in which to return early and trick the parent. Again even if this is possible it's probably going to be really obscure and difficult to exploit, however after someone says that on BUGTRAQ it's usually a few hours (days tops) before someone actually finds a case where it is possible. My apologies if this isn't possible (there may be other checks in the code to disallow this trick), but I just don't have time to research it further. thanks, -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000929181506.W27736>