Vulnerability Development mailing list archives
Re: ptrace in linux kernel
From: "D.C. van Moolenbroek" <xanadu () chello nl>
Date: Mon, 24 Mar 2003 23:36:11 +0100
Linux uses PIDs sequentially: if the last spawned process was assigned pid N, then the next spawned process will be assigned pid N+1, starting from 1 and wrapping to 300 at 32768. That means you can easily "guess" the PID of a kernel process: for example, spawn a child in your exploit program, then start the kernel process (eg. using a socket() call with an unused protocol, as seen in a few exploits), and the kernel process will _probably_ have a PID equal to the PID of the child plus one. Of course, this will go wrong when there is another process created in the meantime - and that is far from theoretical on a system with lots of activity. However, this is easy to detect, because the ptrace attach operation will fail in that case. Regards, David "Marcus Tangermann" wrote:
As far as I understand the problem with the ptrace bug in the linux kernel you can ptrace a spawned process for module loading before the EUID of the process (that is orginaly the same as of the parent) is changed to 0. But how can I geht the PID of the spawned process? Best regards Marcus
-- class sig{static void main(String[]s){for// D.C. van Moolenbroek (int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL) "Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad-
Current thread:
- ptrace in linux kernel Marcus Tangermann (Mar 24)
- Re: ptrace in linux kernel D.C. van Moolenbroek (Mar 24)