Re: ptrace in linux kernel

["D.C. van Moolenbroek" <xanadu () chello nl>]

Linux uses PIDs sequentially: if the last spawned process was assigned pid
N, then the next spawned process will be assigned pid N+1, starting from 1
and wrapping to 300 at 32768.

That means you can easily "guess" the PID of a kernel process: for example,
spawn a child in your exploit program, then start the kernel process (eg.
using a socket() call with an unused protocol, as seen in a few exploits),
and the kernel process will _probably_ have a PID equal to the PID of the
child plus one.

Of course, this will go wrong when there is another process created in the
meantime - and that is far from theoretical on a system with lots of
activity. However, this is easy to detect, because the ptrace attach
operation will fail in that case.

Regards,

David

"Marcus Tangermann" wrote:
> As far as I understand the problem with the ptrace bug in the linux
> kernel you can ptrace a spawned process for module loading
> before the EUID of the process (that is orginaly the same as
> of the parent) is changed to 0. But how can I geht the PID of
> the spawned process?
>
> Best regards
> Marcus

--
class sig{static void main(String[]s){for// D.C. van Moolenbroek
(int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL)
"Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad-