Re: Attacks based on predictable process IDs??

[Brett Hutley <brett () hutley net>]

Christopher Allene wrote:

> Brett Hutley (brett () hutley net) wrote on 2003-11-26 at 11:32:
>
> > Folks, does anyone know why predictable process IDs are considered harmful?
>
>  
> Predictable process IDs can be used as a vector to attack programs
> vulnerable to race conditions in /tmp file creation, in case those
> programs use their PID to create a file, meaning you could possibly
> create one (or, for "practical" uses, more often a link or a named pipe)
> first.
>
> Programs which uses the following pseudo-code are also vulnerable:
>
>     srand (getppid ());
>
> because the sequence of the so-called rand()om numbers is predictible.
> (Arguably, calling srand() passing a xor of your PID and the current
> time is no better. See perldoc -f srand for a discussion on this, I'm
> getting offtopic.)

Hmmm... so it's more a case of badly written program using the process 
ID in an insecure way causes the vulnerability rather than a predictable 
process ID causing a vulnerability itself?

> Thus, I remember a really weird situation where predictable PIDs were
> used to compromise security, it was discussed on BugTraq a while ago,
> but I couldn't find a track of it in my BT archive... anyone?

--
Brett Hutley [MAppFin,CISSP,SANS GCIH]
mailto:brett () hutley net
http://hutley.net/brett


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html