race for /proc/$PID/environ [was: procfs and privacy and a few other questions]

Hi,

On 2006.07.19 00:20:20 +0200, Wolfgang Draxinger wrote:
> Another question, also on procfs is, where exactly does the race 
> condition of the recently reported privilege escalation exploit does 
> take place. In the few days I was experimenting a bit with the code, 
> trying to inject non a.out formats, and eventually the Mono framework 
> or the WINE wrapper could allow to inject code through a BINFMT_MISC 
> handler, but I'm not through on this. Gladly the thing is fixed, but 
> given the fact that there seem to be still a lot of servers on which 
> even the sys_prctl exploit isn't fixed yet I'm a bit precarious about 
> the whole situation.

The race happens between pid_revalidate() and proc_pid_environ(). When
sys_execve() is called, you get into prepare_binprm() which first checks
the i_mode flags and the owner of the file to be executed and later
tries to read the file.
When a process is set non-dumpable, its files are owned by root:root
while permissions are kept, and the "environ" file also gets non-readable
for everyone.
The owner is basically set by proc_revalidate(), the check whether
"environ" may be read happens in proc_pid_environ() (the call to
ptrace_may_attach() to be exact).

Now prepare_binprm() first gets owner and permissions, which are
root:root and 04755 respectively, permissions were changed regularly,
owner was set to root:root, because the process is non-dumpable.
Later prepare_binprm() actually tries to read /proc/$PID/environ and
usually this would fail, because the process is non-dumpable. Now, if
the syscall gets preempted in between these two, you can change the
process back to be dumpable, the read succeeds and that's it.

HTH
Björn
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

References:
- procfs and privacy and a few other questions
  - From: Wolfgang Draxinger <[email protected]>

Prev by Date: Re: XFS breakage in 2.6.18-rc1
Next by Date: Re: [RFC PATCH 16/33] Add support for Xen to entry.S.
Previous by thread: procfs and privacy and a few other questions
Next by thread: Re: procfs and privacy and a few other questions
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]