Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability

To: Wojciech Purczynski <cliph@xxxxxxx>
Subject: Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
From: Dan Yefimov <dan@xxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 15 Aug 2007 16:46:28 +0400 (MSD)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.58.0708142258270.2038@dione>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

On Tue, 14 Aug 2007, Wojciech Purczynski wrote:

> 
> Small correction - I forgot to add setuid(0) ;)
> 
>       PARENT          CHILD
>       ----------------------------------------------------------------
>       fork()
>                       prctl(PR_SET_PDEATHSIG)
>                       execve("/bin/setuid-binary")
>                       setuid(0)
>       exit()'ed or killed
>                       child receives NO signal this time
> 
> 
>       PARENT          CHILD
>       ----------------------------------------------------------------
>       fork()
>                       prctl(PR_SET_PDEATHSIG)
>                       execve("/bin/setuid-binary")
>                       setuid(0)
>       execve("/bin/setuid-binary")
>       exit()'ed or killed
>                       privileged process receives the signal
> 
This doesn't change anything in what I said previously. If the sender's EUID or 
RUID equals to any of SUID or RUID of the victim or the sender process is root, 
the sender can send any signal to the victim; if none of those conditions are 
met, it obviously can't, no matter how and what signal it sends. For details 
look at check_kill_permission() and group_send_sig_info() in kernel/signal.c
and reparent_thread() in kernel/exit.c in the kernel source tree (version 
2.6.22).
-- 

    Sincerely Your, Dan.

Follow-Ups:
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
  - From: Wojciech Purczynski

References:
- Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
  - From: Wojciech Purczynski

Prev by Date: Re: PHPCentral Login Script Remote Command Execution Vulnerability
Next by Date: Cross Site Request Forgery in 2wire routers
Previous by thread: Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
Next by thread: Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
Index(es):
- Date
- Thread