Bugtraq mailing list archives
Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
From: Dan Yefimov <dan () ns15 lightwave net ru>
Date: Fri, 17 Aug 2007 05:27:40 +0400 (MSD)
On Thu, 16 Aug 2007, Glynn Clements wrote:
However, the bug in question allows sending signals which cannot be blocked or ignored (SIGKILL, SIGSTOP). Moreover, the cause (PDEATHSIG) cannot be disabled
Really? An what if we fork right after startup and perform operations as a child?
SIGKILL and SIGSTOP cannot be blocked, handled or ignored.
As for SIGKILL, I again repeat that the program must operate in a fail safe way when that makes sense. BTW, SIGKILL and SIGSTOP can be issued by an O_ASYNC file I/O also (look in fcntl(2) at F_SETSIG section). If you use F_SETSIG for sending SIGKILL or SIGSTOP, there's nothing to be done with that - that behaviour is well documented and setuid root program must know which file descriptor should be closed to prevent that, which is of course not possible. The only cure here is closing every file descriptor above 2, but that is still insufficient, since fcntl() might be issued on file descriptors from 0 to 2.
Signals which don't terminate the process may still have undesirable consequences, e.g. use of SIGUSR1 as a secure signalling mechanism (at least, it's supposed to be secure).
Supposed by whom and why? Where is the guarantee? As I said previously, arbitrary signal can be issued in a couple of ways.
There's more risk if a program uses signals (e.g. SIGUSR1) for remote control.
AFAIK, nobody normal does that - results are unpredictable. Much more often FIFOS and sockets are used for that.
Really? Let's consider the following scenario. You write an analogue of /bin/passwd. Here you make a temporary copy of /etc/shadow, hard link /etc/shadow to /etc/shadow- pre-removing existing /etc/shadow- if that exists,That interferes with any existing passwd invocation.
Probably. But the data will still be in a consistent state. I just proposed an idea without much details.
Sending asynchronous signals to setuid/setgid children is supposed to be impossible, and that restriction is considered a security mechanism.
And this IS generally impossible. Once spawned setuid root binary that will send a signal while dying, you have no control over the moment the signal is being sent at. The exploitation scenario for this bug is a bit artificial. -- Sincerely Your, Dan.
Current thread:
- COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Wojciech Purczynski (Aug 14)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 14)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Wojciech Purczynski (Aug 14)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Glynn Clements (Aug 15)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 15)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Glynn Clements (Aug 16)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 16)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Glynn Clements (Aug 16)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 17)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Glynn Clements (Aug 17)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 17)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Glynn Clements (Aug 20)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 20)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 14)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Nicolas Rachinsky (Aug 17)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 17)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 15)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Wojciech Purczynski (Aug 15)
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability Dan Yefimov (Aug 15)