Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability

To: x82_@xxxxx
Subject: Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
From: Wojciech Purczynski <cliph@xxxxxxx>
Date: Wed, 15 Aug 2007 22:31:44 +0200 (CEST)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20070815101943.32355.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20070815101943.32355.qmail@xxxxxxxxxxxxxxxxx>
Sender: wp@xxxxxxxxxxxx

> In my eyes this is definitely a security issue. But I cannot imagine a
> way to exploit this issue at the moment. First you have to find a suid
> binary which fork()'s. Next thing is that you need access to that
> binary. And then? If both conditions are really met, what's next? The
> possibilities are depending a little bit on the suid binary, am I right?
> Please feel free to correct me if I am wrong.

You do not need suid that forks, you do the fork then child execves victim
suid which then setuids and your parent execves another suid that exits or
dies and thus the parent process death signal gets delivered to victim
suid. It's all in my advisory.

References:
- Re: Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
  - From: x82_

Prev by Date: [ MDKSA-2007:165 ] - Updated cups packages fix vulnerability
Next by Date: Re: Safari for windows remote arbitry file upload
Previous by thread: Re: Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
Next by thread: Re: Re: COSEINC Linux Advisory #1: Linux Kernel Parent Process Death Signal Vulnerability
Index(es):
- Date
- Thread