Re: Minor PTRACE security bug

David Luyer (luyer@ucs.uwa.edu.au)
Tue, 15 Sep 1998 11:55:08 +0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Chris Wedgwood: "Re: egcs-1.1 (was 2.0.36-pre9"
Previous message: Rejean Turgeon: "sorry"
Maybe in reply to: Andreas Kies: "Minor PTRACE security bug"

> Hello everybody,
>
> This bug should normally not be dangerous, but you never know.
>
> Consider a file which is execute only.
>
> ---x--x--x 1 andi users 8576 Sep 14 21:45 foobar
>
> You can not debug it, but 'strace' works, which should not, IMHO.
> Things even get worse, if the binary does a fork. In this
> case strace fails, if tries to trace the child process, which is
> correct.
> The same problem is on 2.1.x, I think.
> My suggestion is to allow ptrace only on readable executables.

You can also attack it with an LD_PRELOAD overriding various functions
with versions that dump their arguments to a file before executing.

ie: (poor man's strace)

int close(int i) {
printf("close %d\n", i);
__close(i);
}

Replace printf with an appropriate fprintf and you can list all calls to
a given shared library.

cc -o test.o test.c ; ld -shared test.o -o test.so ; \
LD_PRELOAD=./test.so foobar

And see all the calls to close() [or, of course, any function you want].

Maybe LD_PRELOAD should also not be permitted if you have not got read
permission to the file you are executing? There could quite easily be
something more revealing that you can do with this -- eg, copy the entire
memory space of the program to a file.

David.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Wedgwood: "Re: egcs-1.1 (was 2.0.36-pre9"
Previous message: Rejean Turgeon: "sorry"
Maybe in reply to: Andreas Kies: "Minor PTRACE security bug"