Date: Mon, 29 Nov 1999 15:58:47 -0800 (PST) From: Kris Kennaway <kris@hub.freebsd.org> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: Dan Moschuk <dan@FreeBSD.ORG>, audit@freebsd.org Subject: Re: cvs commit: src/sys/i386/conf files.i386 src/sys/kern kern_fork.c src/sys/libkern arc4random.c src/sys/sys libkern.h Message-ID: <Pine.BSF.4.21.9911291550311.19254-100000@hub.freebsd.org> In-Reply-To: <199911292239.OAA11977@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 29 Nov 1999, Matthew Dillon wrote: > :> to increment when I look at 'ps' and 'jobs -l' output just as a > :> double check, and I'm sure other people do to. > : > :The big thing which randomized pids gives you is protection against > :tempfile guessing (e.g. /tmp/foo<pid>). We can't fix all of those bugs > :because they exist in a lot of third party code, including code without > :source. > : > :Kris > > Not really. Example: fork/exec an suid program. You now know what > the pid is (the return valud of the fork). There is no need to guess, > and a randomized pid won't help you. In fact, you can TSTP the program > relatively easily since you are probably still the controlling terminal. > You can effectively exploit the window even without TSTPing or STOPing > the program. You misunderstand the attack. In this case I'm the attacker, trying to defeat a child of a process which isn't mine. An example of this exploit in current FreeBSD is a temp file which is created during a parallel make world (I haven't gone back and figured out what). It makes a temp file called /tmp/something<pid> without checking for prior existance of the file. As the attacker, I can exploit this by looking at the current value of maxpid, and spawning say 500 links in /tmp with the correct name, pointing to /etc/passwd. Along comes Mr. linker (or whatever), creates the temporary file and lands in the 'minefield', follows my link, and actually creates it over the top of /etc/passwd. Boom. As you noted, this only reduces to a race condition when you randomize the PID, but it's at least a lot harder to exploit. We can fix this one in FreeBSD, but third party code is still just as trivial to exploit. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.9911291550311.19254-100000>