Full Disclosure mailing list archives
Re: Attacks based on predictable process IDs??
From: Wojciech Purczynski <cliph () isec pl>
Date: Thu, 27 Nov 2003 09:26:24 +0100 (CET)
Among other things mentioned in this thread, just take a look on exploit technique used in recent kernel_thread()/ptrace() race condition in Linux kernel. That exploit needed to PTRACE_ATTACH to newly created thread (invoked "automatically" by kmod) before it was possible to know PID of this newly created thread. So it used simple heuristic - current pid + 1, which was true on most systems without PID randomization.
Exploit attaches to spawned kmod process that actually must have its pid. It doesn't have to predict the PID before the process is created. Even if the PID is choosen randomly there are at least three techniques that allow to guess it's value easily: 1. Scanning /proc directory tree to determine new entries 2. Using kill(pid, 0) to verify each pid's existence 3. Use some of other syscalls that gets pid as an argument and analyse error value returned: waitpid wait4 ptrace setpgid getpgid capget ...and maybe some others. 15 bits of randomness isn't sufficient to prevent guessing its value. Cheers, wp -- Wojciech Purczynski iSEC Security Research http://isec.pl/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Attacks based on predictable process IDs?? Brett Hutley (Nov 25)
- Re: Attacks based on predictable process IDs?? Christopher Allene (Nov 25)
- Re: Attacks based on predictable process IDs?? Brett Hutley (Nov 25)
- Re: Attacks based on predictable process IDs?? Jirka Kosina (Nov 26)
- Re: Attacks based on predictable process IDs?? Wojciech Purczynski (Nov 27)
- Re: Attacks based on predictable process IDs?? Dirk Mueller (Nov 27)
- Re: Attacks based on predictable process IDs?? Thomas Preissler (Nov 27)
- Re: Attacks based on predictable process IDs?? Wojciech Purczynski (Nov 28)
- Re: Attacks based on predictable process IDs?? Luis Bruno (Nov 28)
- Re: Attacks based on predictable process IDs?? Wojciech Purczynski (Nov 27)
- Re: Attacks based on predictable process IDs?? Christopher Allene (Nov 25)