Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork()

From: jepler () INETNEBR COM (Jeff Epler)
Date: Sat, 2 Aug 1997 22:57:31 -0500

On Sat, Aug 02, 1997 at 08:02:04PM -0500, Thomas H. Ptacek wrote:

                  Vulnerability in rfork() System Call
A vulnerability in certain 4.4BSD kernels allows processes to gain
access to restricted resources by manipulating the file descriptor
tables of SUID and SGID executables. Applications of this vulnerability
will allow users to gain root access.


A look at the source code for Linux kernel 2.0.30 and an attempted
exploit seem to show that linux clone() does not have the weakness
discovered in rfork().

An excerpt from linux/fs/exec.c (lines 516ff in my copy):
    if (id_change) {
        /* We can't suid-execute if we're sharing parts of the * executable */
        /* or if we're being traced (or if suid execs are not allowed) */
        /* (current->mm->count > 1 is ok, as we'll get a new mm anyway) */
        if (IS_NOSUID(bprm->inode)
            || (current->flags & PF_PTRACED)
            || (current->fs->count > 1)
            || (current->sig->count > 1)
            || (current->files->count > 1)) /*XXX jepler*/ {
            if (!suser())
                return -EPERM;
        }
    }

XXX marks the line which keeps us safe in the face of CLONE_FILES.

Copies of my non-exploit are available on reques.

Jeff
--
\/ jepler () inetnebr com http://incolor.inetnebr.com/jepler/ (0|1(01*0)*1)+
HOW YOU CAN TELL THAT IT'S GOING TO BE A ROTTEN DAY:
        #1040 Your income tax refund cheque bounces.
Previous By Date Next
Previous By Thread Next

Current thread: