mailing list archives
Re: Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork()
From: marcs () ZNEP COM (Marc Slemko)
Date: Sun, 3 Aug 1997 17:38:22 -0600
On Sat, 2 Aug 1997, Jeff Epler wrote:
On Sat, Aug 02, 1997 at 08:02:04PM -0500, Thomas H. Ptacek wrote:
Vulnerability in rfork() System Call
A vulnerability in certain 4.4BSD kernels allows processes to gain
access to restricted resources by manipulating the file descriptor
tables of SUID and SGID executables. Applications of this vulnerability
will allow users to gain root access.
A look at the source code for Linux kernel 2.0.30 and an attempted
exploit seem to show that linux clone() does not have the weakness
discovered in rfork().
I took a quick look at the behavior of IRIX's sproc() (on 6.2), and it
appears to be safe, but it may be more out of luck and/or bugs than
If you do a sproc() then have the child exec something (regardless of if
what it execs is setuid or not) and open a file descriptor in the child,
when the parent write()s to that descriptor it does _not_ return an error
condition but it doesn't get written to the file either; it appears to
just vanish. If you try to write from the parent to a fd that is closed,
it does properly return an error.
Finally, a welcome change from all the buffer overflows. Trivial to
exploit to gain root, but still a nice change of pace.
Re: sendmail -C: Known? Patches? (AIX 4.1.5) Eric Allman (Aug 06)
Re: sendmail -C: Known? Patches? (AIX 4.1.5) Eric Allman (Aug 07)
procfs hole Brian Mitchell (Aug 10)
Re: procfs hole Jonathan A. Zdziarski (Aug 10)
Re: procfs hole Brian Mitchell (Aug 10)
NT DNS Implicit Search Order Hole Aleph One (Aug 09)