<<< Date Index >>>     <<< Thread Index >>>

Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability



On Tue, 14 Aug 2007, Wojciech Purczynski wrote:

> 
> Small correction - I forgot to add setuid(0) ;)
> 
>       PARENT          CHILD
>       ----------------------------------------------------------------
>       fork()
>                       prctl(PR_SET_PDEATHSIG)
>                       execve("/bin/setuid-binary")
>                       setuid(0)
>       exit()'ed or killed
>                       child receives NO signal this time
> 
> 
>       PARENT          CHILD
>       ----------------------------------------------------------------
>       fork()
>                       prctl(PR_SET_PDEATHSIG)
>                       execve("/bin/setuid-binary")
>                       setuid(0)
>       execve("/bin/setuid-binary")
>       exit()'ed or killed
>                       privileged process receives the signal
> 
This doesn't change anything in what I said previously. If the sender's EUID or 
RUID equals to any of SUID or RUID of the victim or the sender process is root, 
the sender can send any signal to the victim; if none of those conditions are 
met, it obviously can't, no matter how and what signal it sends. For details 
look at check_kill_permission() and group_send_sig_info() in kernel/signal.c
and reparent_thread() in kernel/exit.c in the kernel source tree (version 
2.6.22).
-- 

    Sincerely Your, Dan.