lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0708170426160.24633-100000@D00M.lightwave.net.ru>
Date: Fri, 17 Aug 2007 05:27:40 +0400 (MSD)
From: Dan Yefimov <dan@...5.lightwave.net.ru>
To: Glynn Clements <glynn@...ements.plus.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death
 Signal Vulnerability

On Thu, 16 Aug 2007, Glynn Clements wrote:

> However, the bug in question allows sending signals which cannot be
> blocked or ignored (SIGKILL, SIGSTOP). Moreover, the cause (PDEATHSIG)
> cannot be disabled
> 
Really? An what if we fork right after startup and perform operations as a 
child?

> SIGKILL and SIGSTOP cannot be blocked, handled or ignored.

As for SIGKILL, I again repeat that the program must operate in a fail safe way 
when that makes sense.

BTW, SIGKILL and SIGSTOP can be issued by an O_ASYNC file I/O also (look in 
fcntl(2) at F_SETSIG section). If you use F_SETSIG for sending SIGKILL or 
SIGSTOP, there's nothing to be done with that - that behaviour is well 
documented and setuid root program must know which file descriptor should be 
closed to prevent that, which is of course not possible. The only cure here is 
closing every file descriptor above 2, but that is still insufficient, since 
fcntl() might be issued on file descriptors from 0 to 2.

> Signals
> which don't terminate the process may still have undesirable
> consequences, e.g. use of SIGUSR1 as a secure signalling mechanism (at
> least, it's supposed to be secure).
> 
Supposed by whom and why? Where is the guarantee? As I said previously, 
arbitrary signal can be issued in a couple of ways.

> There's more risk if a program uses signals (e.g. SIGUSR1) for remote
> control.
> 
AFAIK, nobody normal does that - results are unpredictable. Much more often 
FIFOS and sockets are used for that.

> > Really? Let's consider the following scenario. You write an analogue of 
> > /bin/passwd. Here you make a temporary copy of /etc/shadow, hard link 
> > /etc/shadow to /etc/shadow- pre-removing existing /etc/shadow- if that exists,
> 
> That interferes with any existing passwd invocation.
> 
Probably. But the data will still be in a consistent state. I just proposed an 
idea without much details.

> Sending asynchronous signals to setuid/setgid children is supposed to
> be impossible, and that restriction is considered a security
> mechanism.
> 
And this IS generally impossible. Once spawned setuid root binary that will
send a signal while dying, you have no control over the moment the signal is 
being sent at. The exploitation scenario for this bug is a bit artificial.
-- 

    Sincerely Your, Dan.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ