Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability

From: Dan Yefimov <dan () ns15 lightwave net ru>
Date: Wed, 15 Aug 2007 16:46:28 +0400 (MSD)
On Tue, 14 Aug 2007, Wojciech Purczynski wrote:



Small correction - I forgot to add setuid(0) ;)

      PARENT          CHILD
      ----------------------------------------------------------------
      fork()
                      prctl(PR_SET_PDEATHSIG)
                      execve("/bin/setuid-binary")
                      setuid(0)
      exit()'ed or killed
                      child receives NO signal this time


      PARENT          CHILD
      ----------------------------------------------------------------
      fork()
                      prctl(PR_SET_PDEATHSIG)
                      execve("/bin/setuid-binary")
                      setuid(0)
      execve("/bin/setuid-binary")
      exit()'ed or killed
                      privileged process receives the signal


This doesn't change anything in what I said previously. If the sender's EUID or 
RUID equals to any of SUID or RUID of the victim or the sender process is root, 
the sender can send any signal to the victim; if none of those conditions are 
met, it obviously can't, no matter how and what signal it sends. For details 
look at check_kill_permission() and group_send_sig_info() in kernel/signal.c
and reparent_thread() in kernel/exit.c in the kernel source tree (version 
2.6.22).
-- 

    Sincerely Your, Dan.
Previous By Date Next
Previous By Thread Next

Current thread: