lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.44.0311270855210.3977-100000@isec.pl>
From: cliph at isec.pl (Wojciech Purczynski)
Subject: Attacks based on predictable process IDs??

> Among other things mentioned in this thread, just take a look on exploit
> technique used in recent kernel_thread()/ptrace() race condition in
> Linux kernel. That exploit needed to PTRACE_ATTACH to newly created
> thread (invoked "automatically" by kmod) before it was possible to know
> PID of this newly created thread. So it used simple heuristic - current
> pid + 1, which was true on most systems without PID randomization.

Exploit attaches to spawned kmod process that actually must have its pid.
It doesn't have to predict the PID before the process is created.

Even if the PID is choosen randomly there are at least three techniques
that allow to guess it's value easily:

  1. Scanning /proc directory tree to determine new entries

  2. Using kill(pid, 0) to verify each pid's existence

  3. Use some of other syscalls that gets pid as an argument and analyse
     error value returned:
	
	waitpid
	wait4
	ptrace
	setpgid
	getpgid
	capget

     ...and maybe some others.

15 bits of randomness isn't sufficient to prevent guessing its value.

Cheers,
wp

-- 
Wojciech Purczynski
iSEC Security Research
http://isec.pl/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ