unsecure fileaccess permissions for /proc (kernel 2.0.36)

Thomas Biege (thomas@suse.de)
Tue, 16 Mar 1999 18:03:49 +0100 (MET)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mike Jagdis: "IPv6 routing"
Previous message: H. Peter Anvin: "Re: DES module in kernel?"

Hi,
our security team of SuSE GmbH noticed a
security problem with the access permissions
to /proc (kernel 2.0.36).
When a (non-root) user executes a SUID program
s/he is able to read /proc/<pid_of_suid_proc>/stat.
The stat file includes the adress of the stackpointer,
which is necessary for exploiting bufferoverflows.
(One of the hardest parts of bufferoverflow exploits
is to guess the stackpointer value.)

This simpilfication is just usefull for bufferoverruns,
which are exploitable after the execution of a SUID
program.

Please, send your comments to thomas@suse.de, because
I'm not subscribed to this mailinglist... thanks.

Bye,
Thomas

--
  Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
  E@mail: thomas@suse.de      Function: Security Support & Auditing
  issue a  "finger thomas@suse.de | pgp -fka" for my public pgp key


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mike Jagdis: "IPv6 routing"
Previous message: H. Peter Anvin: "Re: DES module in kernel?"