Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 8 Sep 1998 17:05:47 +1000 (EST)
From:      Andrew Cagney <cagney@tpgi.com.au>
To:        FreeBSD-gnats-submit@FreeBSD.ORG, cagney@andrew1.lnk.telstra.net
Subject:   kern/7858: GDB (ptrace?) can touch almost any executable
Message-ID:  <199809080705.RAA10643@andrew1.lnk.telstra.net>
next in thread | raw e-mail | index | archive | help 

>Number:         7858
>Category:       kern
>Synopsis:       GDB (ptrace?) can touch almost any executable
>Confidential:   yes
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep  8 00:10:00 PDT 1998
>Last-Modified:
>Originator:     Andrew Cagney
>Organization:
Un-organized
>Release:        FreeBSD 2.2.7-RELEASE i386
>Environment:

FreeBSD b1.cygnus.com 2.2.7-RELEASE FreeBSD 2.2.7-RELEASE #0: Fri Sep  4 16:47:02 EST 1998     cagney@b1.cygnus.com:/usr/src/sys/compile/B2  i386
Kernel is almost vanila (but that is probably what they all say :-).	

>Description:

	GDB can be used to change the modify/creation dates of files
	the user doesn't own.

	Suspect PTRACE security hole.

>How-To-Repeat:

Exibit 1:

	cagney@b1.cygnus.com$ cat ../devo/gdb/testsuite/gdb.base/reread2.c 

	#include <stdio.h>

	int x;

	void foo()
	{
	  x++;
	  printf("This is foo\n");
	}

	int main()
	{
	#ifdef usestubs
	  set_debug_traps ();
	  breakpoint ();
	#endif
	  foo();
	  return 0;
	}

Compile exibit 1 with:

	cagney@b1.cygnus.com$ sudo gcc -g -o reread ../devo/gdb/testsuite/gdb.base/reread2.c 
	Password:
	cagney@b1.cygnus.com$ ls -ldg reread
	-rwxr-xr-x  1 root  wheel  11710 Sep  8 16:46 reread
	cagney@b1.cygnus.com$ whoami
	cagney
	cagney@b1.cygnus.com$ groups
	wheel network people
	cagney@b1.cygnus.com$ 


Check the files date:

	cagney@b1.cygnus.com$ date ; /bin/ls -lT reread
	Tue Sep  8 16:54:03 EST 1998
	-rwxr-xr-x  1 root  wheel  11710 Sep  8 16:52:57 1998 reread


Run GDB vis:

	cagney@b1.cygnus.com$ /usr/bin/gdb ./reread 
	...
	GDB 4.16 (i386-unknown-freebsd), 
	Copyright 1996 Free Software Foundation, Inc...
	(gdb) run
	Starting program: /home/scratch/freebsd-gdb/./reread 
	This is foo

	Program exited normally.
	(gdb) 


Check the dates again:

	cagney@b1.cygnus.com$ date ; /bin/ls -lT reread
	Tue Sep  8 16:55:11 EST 1998
	-rwxr-xr-x  1 root  wheel  11710 Sep  8 16:52:57 1998 reread

Until eventually (~30 seconds?).

	cagney@b1.cygnus.com$ date ; /bin/ls -lT reread
	Tue Sep  8 16:55:28 EST 1998
	-rwxr-xr-x  1 root  wheel  11710 Sep  8 16:55:27 1998 reread

shows up....


>Fix:
	
	Good question!

		have fun, Andrew
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809080705.RAA10643>