Full Disclosure mailing list archives

Re: Attacks based on predictable process IDs??

From: Jirka Kosina <jikos () jikos cz>
Date: Wed, 26 Nov 2003 14:07:44 +0100 (CET)

On Wed, 26 Nov 2003, Brett Hutley wrote:

Folks, does anyone know why predictable process IDs are considered harmful?
I can see that there could be the possibility of a compromise if your
cryptographic PRNGs are seeded using a process ID.
Does anyone know of any other types of attacks?


Among other things mentioned in this thread, just take a look on exploit
technique used in recent kernel_thread()/ptrace() race condition in Linux
kernel. That exploit needed to PTRACE_ATTACH to newly created thread
(invoked "automatically" by kmod) before it was possible to know PID of
this newly created thread. So it used simple heuristic - current pid + 1,
which was true on most systems without PID randomization.

-- 
JiKos.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Attacks based on predictable process IDs?? Brett Hutley (Nov 25)
- Re: Attacks based on predictable process IDs?? Christopher Allene (Nov 25)
  - Re: Attacks based on predictable process IDs?? Brett Hutley (Nov 25)
- Re: Attacks based on predictable process IDs?? Jirka Kosina (Nov 26)
  - Re: Attacks based on predictable process IDs?? Wojciech Purczynski (Nov 27)
    - Re: Attacks based on predictable process IDs?? Dirk Mueller (Nov 27)
    - Re: Attacks based on predictable process IDs?? Thomas Preissler (Nov 27)
    - Re: Attacks based on predictable process IDs?? Wojciech Purczynski (Nov 28)
    - Re: Attacks based on predictable process IDs?? Luis Bruno (Nov 28)
- Re: Attacks based on predictable process IDs?? Ron DuFresne (Nov 26)
- Re: Attacks based on predictable process IDs?? Brett Hutley (Nov 27)