Bugtraq mailing list archives
Re: strace can lie
From: v2 () MOONTV FI (Sampo Savolainen)
Date: Tue, 28 Dec 1999 13:24:45 +0200
On Sat, 25 Dec 1999, Pavel Machek wrote:
void main(void) { char *c = 0x94000000; open( "/tmp/delme", O_RDWR ); mmap( c, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED, 3, 0); *c = 0; if (fork()) { while(1) { strcpy( c, "/public" ); strcpy( c, "/secret" ); } } else while (1) open( c, 0 ); }
[pid 224] open("/public", O_RDONLY) = 718 [pid 224] open("/secret", O_RDONLY) = 719 [pid 224] open("/public", O_RDONLY) = 720
I tried this with Linux 2.3.20, it worked fine: cristobal:~# ls -l /secret /public -rw-rw-r-- 1 root root 7 Dec 28 13:17 /public --w--w---- 1 root root 7 Dec 28 13:17 /secret and the strace log: [pid 10999] open("/public", O_RDONLY) = 192 [pid 10999] open("/secret", O_RDONLY) = -1 EACCES (Permission denied) ..most of the time. from 1270 tried opens, 11 tries had the wrong filename read from memory. Does the kernel save the filename anywhere in the filedescriptor arrays? If it does, then strace could be easily modified to read the filename from the kernel, not from the programs userspace. ------------------------------------------------------------------------------ v2 - Sampo Savolainen - 040 7555649 Saraxa Media / Finngemma Tuotanto Oy
Current thread:
- strace can lie Pavel Machek (Dec 25)
- Re: strace can lie Sampo Savolainen (Dec 28)
- Local / Remote D.o.S Attack in Savant Web Server V2.0 WIN9X / NT / 2K Ussr Labs (Dec 28)
- <Possible follow-ups>
- Re: strace can lie der Mouse (Dec 27)
- strace can lie Misha Dankov (Dec 28)