From owner-freebsd-audit Fri Sep 29 18:15: 9 2000 Delivered-To: freebsd-audit@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 6AB1037B503 for ; Fri, 29 Sep 2000 18:15:07 -0700 (PDT) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id e8U1F7f24324 for freebsd-audit@freebsd.org; Fri, 29 Sep 2000 18:15:07 -0700 (PDT) Date: Fri, 29 Sep 2000 18:15:07 -0700 From: Alfred Perlstein To: freebsd-audit@freebsd.org Subject: ptrace may have a security flaw with reparenting Message-ID: <20000929181506.W27736@fw.wintelcom.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I haven't had time to test nor do a complete audit, but a pretty good glance at the ptrace code makes it look like one can attach a process to another process. Here's how it looks like it may be possible: pid 100 forks child 101 pid X ptracte attaches to 101 pid X waits for pid 100 to exit and another unrelated (target) process to get the pid via wraparound pid X then detaches pid 101 is now attached to 100 but it shouldn't be! I'm not aware of any special capabilities gained from just being a child process of another process, however the simple problem is that now the false child can subvert the parent by exiting and leaving a return value that would confuse the parent. Assume setuid app 'foo' forks a child to do authentication and relies on the child returning success for positive auth, well now you have a race window in which to return early and trick the parent. Again even if this is possible it's probably going to be really obscure and difficult to exploit, however after someone says that on BUGTRAQ it's usually a few hours (days tops) before someone actually finds a case where it is possible. My apologies if this isn't possible (there may be other checks in the code to disallow this trick), but I just don't have time to research it further. thanks, -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message