Bugtraq mailing list archives
Re: Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork()
From: marcs () ZNEP COM (Marc Slemko)
Date: Sun, 3 Aug 1997 17:38:22 -0600
On Sat, 2 Aug 1997, Jeff Epler wrote:
On Sat, Aug 02, 1997 at 08:02:04PM -0500, Thomas H. Ptacek wrote:Vulnerability in rfork() System Call A vulnerability in certain 4.4BSD kernels allows processes to gain access to restricted resources by manipulating the file descriptor tables of SUID and SGID executables. Applications of this vulnerability will allow users to gain root access.A look at the source code for Linux kernel 2.0.30 and an attempted exploit seem to show that linux clone() does not have the weakness discovered in rfork().
I took a quick look at the behavior of IRIX's sproc() (on 6.2), and it appears to be safe, but it may be more out of luck and/or bugs than design. If you do a sproc() then have the child exec something (regardless of if what it execs is setuid or not) and open a file descriptor in the child, when the parent write()s to that descriptor it does _not_ return an error condition but it doesn't get written to the file either; it appears to just vanish. If you try to write from the parent to a fd that is closed, it does properly return an error. Finally, a welcome change from all the buffer overflows. Trivial to exploit to gain root, but still a nice change of pace.
Current thread:
- SSH LocalForward, (continued)
- SSH LocalForward Kristof Van Damme (Aug 02)
- Security hole in rusers client David Holland (Aug 02)
- SSH LocalForward Nicolas Dubee (Aug 02)
- Re: your mail Erik Troan (Aug 10)
- Sun Security Bulletin #00149 Aleph One (Aug 13)
- Sun Security Bulletin #00150 Aleph One (Aug 13)
- Possible fixed identd Phillip R. Jaenke (Aug 13)
- CERT Advisory CA-97.22 - BIND - the Berkeley Internet Name Daemon Aleph One (Aug 14)
- Vulnerability in 4.4BSD rfork() implementation Thomas H. Ptacek (Aug 02)
- Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork() Jeff Epler (Aug 02)
- Re: Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork() Marc Slemko (Aug 03)
- Re: sendmail -C: Known? Patches? (AIX 4.1.5) Gene Spafford (Aug 09)
- Re: sendmail -C: Known? Patches? (AIX 4.1.5) Troy Bollinger (Aug 10)
- Program To decrypt password in ws_ftp.ini JeBe (Aug 10)