![[LWN Logo]](/images/lwn.banner.gif)
Date: Fri, 17 Mar 2000 00:56:47 +0100 (MET)
From: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
To: security-audit@ferret.lmh.ox.ac.uk
Subject: Process hiding in linux (fwd)
That exec() thing reminded me of another kernel problem (limited to 2.3
...fortunately) Pavel Machek and I discovered recently.
Some background: /proc/NNN inodes in 2.3 keep a pointer to task_struct
(earlies versions used a pid computed from an inode number to look up that
pointer during every fs operation). This makes /proc in 2.3 resistant
against pid recycling attacks because old fds would always access the
original zombified task_struct (that is garbage collected when its
reference count drops to zero). Unfortunately, it makes /proc vulnerable
to these attacks put upside-down: because the old task_struct pointer is
stored in the inode, new fds access the old process as well until the
kernel gets rid of the inode but this will not happen until all old fds
are closed.
A lesson learned: when an old trick fails, try out its exact opposite.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
---------- Forwarded message ----------
Date: Mon, 13 Mar 2000 22:38:38 +0100
From: Pavel Machek <pavel@ucw.cz>
To: peak@kerberos.troja.mff.cuni.cz, pavel@ucw.cz, viro@math.psu.edu,
linux-kernel@vger.rutgers.edu
Subject: Process hiding in linux
Hi!
/proc/pid allows strange tricks (2.3.49):
pavel@bug:~/misc$ while1 &
[1] 1349
pavel@bug:~/misc$ delayed_cat /proc/1349/status
[2]+ Stopped delayed_cat /proc/1349/status
pavel@bug:~/misc$ ./phide
[spawns 32450 processes and lets them exit]
pavel@bug:~/misc$ kill -9 1349
pavel@bug:~/misc$ ps aux | grep grep
Warning: /boot/System.map has an incorrect kernel version.
Warning: /usr/src/linux/System.map has an incorrect kernel version.
pavel 1337 0.0 0.5 844 336 tty1 S 22:29 0:00 grep
grep
[1]- Killed while1
[repeating so we are near wrapparound]
pavel@bug:~/misc$ ps aux | grep grep
Warning: /boot/System.map has an incorrect kernel version.
Warning: /usr/src/linux/System.map has an incorrect kernel version.
pavel 1347 0.0 0.5 844 336 tty1 S 22:30 0:00 grep
grep
pavel@bug:~/misc$ while1 & while1 & while1 & while1 & while1 &
[3] 1348
[4] 1349
[5] 1351
[6] 1352
[7] 1353
pavel@bug:~/misc$ kill 1348 1351 1352 1353
*Then* on the other console:
So what we have is process 1350 *hiding* process 1349. (Process apears
on listings, but it is marked as zombie, while it is running in the
background.)
pavel@bug:~$ ps aux | grep 1349
Warning: /boot/System.map has an incorrect kernel version.
Warning: /usr/src/linux/System.map has an incorrect kernel version.
pavel 1350 0.0 0.3 724 224 tty1 T 22:28 0:00 delayed_cat /proc/1349/status
pavel 1349 12.1 0.0 0 0 tty1 Z 22:28 0:34 [while1 <defunct>]
pavel 1361 0.0 0.5 844 332 tty2 S 22:33 0:00 grep
1349
pavel@bug:~$ kill -9 1350
pavel@bug:~$ ps aux | grep 1349
Warning: /boot/System.map has an incorrect kernel version.
Warning: /usr/src/linux/System.map has an incorrect kernel version.
pavel 1349 88.2 0.3 720 216 tty1 R 22:30 2:46 while1
pavel 1363 0.0 0.5 844 332 tty2 S 22:33 0:00 grep
1349
pavel@bug:~$
Pavel
PS: It was Pavel Kankovsky who told me something like this might be
possible. I believe this is security problem.
--
I'm pavel@ucw.cz. "In my country we have almost anarchy and I don't care."
Panos Katsaloulis describing me w.r.t. patents me at discuss@linmodems.org