Bugtraq mailing list archives
Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
From: Wojciech Purczynski <cliph () isec pl>
Date: Wed, 15 Aug 2007 23:05:09 +0200 (CEST)
In this case check_kill_permission() returns -EPERM for unprivileged parent.You always talked about setuid root process sending PDEATH_SIG to the root child, didn't you? check_kill_permission() checks current->euid and current->uid against t->uid and t->suid, where 'current' is the pointer to the task_struct of the sender, or, in our case, of the dying setuid root process, and 't' is the pointer to the task_struct of the root child. If one of those checks succeeds then the entire check_kill_permission() succeeds. current->euid is in our case 0, t->uid and t->suid are 0 too. So where is the problem?
The problem is that without suid binary execved from parent process you can not send the signal. ;) With suid binary you can and that makes this issue a privilege escalation vulnerability.
Current thread:
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability, (continued)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Glynn Clements (Aug 17)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 17)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Glynn Clements (Aug 20)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 20)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Nicolas Rachinsky (Aug 17)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 17)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 15)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Wojciech Purczynski (Aug 15)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 15)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Wojciech Purczynski (Aug 15)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 15)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Wojciech Purczynski (Aug 16)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 16)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Wojciech Purczynski (Aug 15)