Re: Ptrace hole / Linux 2.2.25

mlafon@arkoon.net
Wed, 19 Mar 2003 12:28:02 +0100

This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_courier-12946-1048073379-0001-2
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Alan Cox wrote:
> Vulnerability: CAN-2003-0127

> The Linux 2.2 and Linux 2.4 kernels have a flaw in ptrace. This hole allows
> local users to obtain full privileges. Remote exploitation of this hole is
> not possible. Linux 2.5 is not believed to be vulnerable.

The patch breaks /proc/<pid>/cmdline and /proc/<pid>/environ for 'non dumpable'
processes, even for root.

We need to access theses proc files for processes monitoring.

Included is a patch to restore this functionnality for root.

Any comments ?
(See attached file: cmdline_environ_fix.diff)

--
Mathieu Lafon - Arkoon Network Security


--=_courier-12946-1048073379-0001-2
Content-Type: application/octet-stream; name="cmdline_environ_fix.diff"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="cmdline_environ_fix.diff"


ZGlmZiAtdSAtcjEuMy4yNC4xIHB0cmFjZS5jCi0tLSBsaW51eC0yLjQva2VybmVsL3B0cmFjZS5j
CTIwMDMvMDMvMTkgMTA6NTA6NTcJMS4zLjI0LjEKKysrIGxpbnV4LTIuNC9rZXJuZWwvcHRyYWNl
LmMJMjAwMy8wMy8xOSAxMDo1NDo0NQpAQCAtMTQwLDcgKzE0MCw3IEBACiAJLyogV29ycnkgYWJv
dXQgcmFjZXMgd2l0aCBleGl0KCkgKi8KIAl0YXNrX2xvY2sodHNrKTsKIAltbSA9IHRzay0+bW07
Ci0JaWYgKCFpc19kdW1wYWJsZSh0c2spIHx8ICgmaW5pdF9tbSA9PSBtbSkpCisJaWYgKCghaXNf
ZHVtcGFibGUodHNrKSB8fCAoJmluaXRfbW0gPT0gbW0pKSAmJiAoY3VycmVudC0+dWlkICE9IDAp
KQogCQltbSA9IE5VTEw7CiAJaWYgKG1tKQogCQlhdG9taWNfaW5jKCZtbS0+bW1fdXNlcnMpOwo=


--=_courier-12946-1048073379-0001-2--