Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Attacks based on predictable process IDs??

From: Wojciech Purczynski <cliph () isec pl>
Date: Thu, 27 Nov 2003 09:26:24 +0100 (CET)


Among other things mentioned in this thread, just take a look on exploit
technique used in recent kernel_thread()/ptrace() race condition in
Linux kernel. That exploit needed to PTRACE_ATTACH to newly created
thread (invoked "automatically" by kmod) before it was possible to know
PID of this newly created thread. So it used simple heuristic - current
pid + 1, which was true on most systems without PID randomization.


Exploit attaches to spawned kmod process that actually must have its pid.
It doesn't have to predict the PID before the process is created.

Even if the PID is choosen randomly there are at least three techniques
that allow to guess it's value easily:

  1. Scanning /proc directory tree to determine new entries

  2. Using kill(pid, 0) to verify each pid's existence

  3. Use some of other syscalls that gets pid as an argument and analyse
     error value returned:
        
        waitpid
        wait4
        ptrace
        setpgid
        getpgid
        capget

     ...and maybe some others.

15 bits of randomness isn't sufficient to prevent guessing its value.

Cheers,
wp

-- 
Wojciech Purczynski
iSEC Security Research
http://isec.pl/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: