Bugtraq mailing list archives
Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork()
From: jepler () INETNEBR COM (Jeff Epler)
Date: Sat, 2 Aug 1997 22:57:31 -0500
On Sat, Aug 02, 1997 at 08:02:04PM -0500, Thomas H. Ptacek wrote:
Vulnerability in rfork() System Call A vulnerability in certain 4.4BSD kernels allows processes to gain access to restricted resources by manipulating the file descriptor tables of SUID and SGID executables. Applications of this vulnerability will allow users to gain root access.
A look at the source code for Linux kernel 2.0.30 and an attempted exploit seem to show that linux clone() does not have the weakness discovered in rfork(). An excerpt from linux/fs/exec.c (lines 516ff in my copy): if (id_change) { /* We can't suid-execute if we're sharing parts of the * executable */ /* or if we're being traced (or if suid execs are not allowed) */ /* (current->mm->count > 1 is ok, as we'll get a new mm anyway) */ if (IS_NOSUID(bprm->inode) || (current->flags & PF_PTRACED) || (current->fs->count > 1) || (current->sig->count > 1) || (current->files->count > 1)) /*XXX jepler*/ { if (!suser()) return -EPERM; } } XXX marks the line which keeps us safe in the face of CLONE_FILES. Copies of my non-exploit are available on reques. Jeff -- \/ jepler () inetnebr com http://incolor.inetnebr.com/jepler/ (0|1(01*0)*1)+ HOW YOU CAN TELL THAT IT'S GOING TO BE A ROTTEN DAY: #1040 Your income tax refund cheque bounces.
Current thread:
- Bugs in Debian Linux's ircd package, (continued)
- Bugs in Debian Linux's ircd package Matt (Aug 01)
- SSH LocalForward Kristof Van Damme (Aug 02)
- Security hole in rusers client David Holland (Aug 02)
- SSH LocalForward Nicolas Dubee (Aug 02)
- Re: your mail Erik Troan (Aug 10)
- Sun Security Bulletin #00149 Aleph One (Aug 13)
- Sun Security Bulletin #00150 Aleph One (Aug 13)
- Possible fixed identd Phillip R. Jaenke (Aug 13)
- CERT Advisory CA-97.22 - BIND - the Berkeley Internet Name Daemon Aleph One (Aug 14)
- Vulnerability in 4.4BSD rfork() implementation Thomas H. Ptacek (Aug 02)
- Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork() Jeff Epler (Aug 02)
- Re: Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork() Marc Slemko (Aug 03)
- Re: sendmail -C: Known? Patches? (AIX 4.1.5) Gene Spafford (Aug 09)
- Re: sendmail -C: Known? Patches? (AIX 4.1.5) Troy Bollinger (Aug 10)
- Program To decrypt password in ws_ftp.ini JeBe (Aug 10)