Linux Kernel 2.2.x – Non-Readable File Ptrace Local Information Leak

Linux Kernel 2.2.x – Non-Readable File Ptrace Local Information Leak

漏洞ID 1053492 漏洞类型
发布时间 2000-11-30 更新时间 2000-11-30
图片[1]-Linux Kernel 2.2.x – Non-Readable File Ptrace Local Information Leak-安全小百科CVE编号 N/A
图片[2]-Linux Kernel 2.2.x – Non-Readable File Ptrace Local Information Leak-安全小百科CNNVD-ID N/A
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/20458
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/2044/info

Ptrace is a unix system call that is used to analyze running processes, usually for breakpoint debugging. The linux implementation of ptrace in 2.2.x kernels (and possibly earlier versions) contains a vulnerability that may allow an attacker to gain sensitive information in non-readable non-setuid executable files.

For security reasons, regular users are not allowed to ptrace setuid programs (or attach to processes running as another uid) nor are they allowed to trace processes originating from un-readable disk images (binary files). These restrictions are properly enforced in Linux ptrace when using PT_ATTACH to trace aribtrary non-children processes in memory.

When ptrace is called to trace a child process however, it does not properly check to make sure that the disk image is readable to the user. As a result, the process can be traced and its core memory examined. Information compiled into the binary that was meant to be hidden via setting it non-readable may be disclosed to an attacker.

The information obtained could be used to assist in other attacks. 

Trace on non-readable file using PT_ATTACH:

$ ls -l testfile
-rwx--x--x 1 root root 216916 Dec 4 11:59 testfile

$ ./testfile
waiting..

From another shell:

$ strace -p 11535 <---process ID of "testfile" process
attach: ptrace(PTRACE_ATTACH, ...): Operation not permitted <---Because testfile isn't readable. Good, secure behaviour

---------------

Trace on non-readable file as child process:

$ strace testfile

SYS_197(0x3, 0xbffff650, 0x40197d40, 0x80cca38, 0x3) = -1 ENOSYS (Function not implemented)
fstat(3, {st_mode=S_IFREG|0644, st_size=1744, ...}) = 0
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000
..

相关推荐: Compaq Management Agents for Netware Plaintext Password Vulnerability

Compaq Management Agents for Netware Plaintext Password Vulnerability 漏洞ID 1103729 漏洞类型 Design Error 发布时间 2000-11-06 更新时间 2000-11-…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享