Home page logo
/

bugtraq logo Bugtraq mailing list archives

Process hiding in linux
From: pavel () SUSE CZ (Pavel Machek)
Date: Wed, 15 Mar 2000 23:44:47 +0100


Hi!

/proc/pid allows strange tricks (2.3.49):

pavel () bug:~/misc$ while1 &
[1] 1349
pavel () bug:~/misc$ delayed_cat /proc/1349/status

[2]+  Stopped                 delayed_cat /proc/1349/status
pavel () bug:~/misc$ ./phide

[spawns 32450 processes and lets them exit]

pavel () bug:~/misc$ kill -9 1349
pavel () bug:~/misc$ ps aux | grep grep
Warning: /boot/System.map has an incorrect kernel version.
Warning: /usr/src/linux/System.map has an incorrect kernel version.
pavel     1337  0.0  0.5   844  336 tty1     S    22:29   0:00 grep
grep
[1]-  Killed                  while1

[repeating so we are near wrapparound]

pavel () bug:~/misc$ ps aux | grep grep
Warning: /boot/System.map has an incorrect kernel version.
Warning: /usr/src/linux/System.map has an incorrect kernel version.
pavel     1347  0.0  0.5   844  336 tty1     S    22:30   0:00 grep
grep
pavel () bug:~/misc$ while1 & while1 & while1 & while1 & while1 &
[3] 1348
[4] 1349
[5] 1351
[6] 1352
[7] 1353
pavel () bug:~/misc$ kill 1348 1351 1352 1353

*Then* on the other console:

So what we have is process 1350 *hiding* process 1349. (Process apears
on listings, but it is marked as zombie, while it is running in the
background.)

pavel () bug:~$ ps aux | grep 1349
Warning: /boot/System.map has an incorrect kernel version.
Warning: /usr/src/linux/System.map has an incorrect kernel version.
pavel     1350  0.0  0.3   724  224 tty1     T    22:28   0:00 delayed_cat /proc/1349/status
pavel     1349 12.1  0.0     0    0 tty1     Z    22:28   0:34 [while1 <defunct>]
pavel     1361  0.0  0.5   844  332 tty2     S    22:33   0:00 grep
1349
pavel () bug:~$ kill -9 1350
pavel () bug:~$ ps aux | grep 1349
Warning: /boot/System.map has an incorrect kernel version.
Warning: /usr/src/linux/System.map has an incorrect kernel version.
pavel     1349 88.2  0.3   720  216 tty1     R    22:30   2:46 while1
pavel     1363  0.0  0.5   844  332 tty2     S    22:33   0:00 grep
1349
pavel () bug:~$

                                                                Pavel

PS: It was Pavel Kankovsky who told me something like this might be
possible. I believe this is security problem.

--
I'm pavel () ucw cz  "In my country we have almost anarchy and I don't care."
Panos Katsaloulis describing me w.r.t. patents me at discuss () linmodems org



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]