Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork()

Jeff Epler (jepler@INETNEBR.COM)
Sat, 02 Aug 1997 22:57:31 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: long-morrow@CS.YALE.EDU: "Re: SSH LocalForward"
Previous message: Sevo Stille: "Re: SSH LocalForward"
Next in thread: Marc Slemko: "Re: Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork()"

On Sat, Aug 02, 1997 at 08:02:04PM -0500, Thomas H. Ptacek wrote:
> Vulnerability in rfork() System Call
> A vulnerability in certain 4.4BSD kernels allows processes to gain
> access to restricted resources by manipulating the file descriptor
> tables of SUID and SGID executables. Applications of this vulnerability
> will allow users to gain root access.

A look at the source code for Linux kernel 2.0.30 and an attempted
exploit seem to show that linux clone() does not have the weakness
discovered in rfork().

An excerpt from linux/fs/exec.c (lines 516ff in my copy):
if (id_change) {
/* We can't suid-execute if we're sharing parts of the * executable */
/* or if we're being traced (or if suid execs are not allowed) */
/* (current->mm->count > 1 is ok, as we'll get a new mm anyway) */
if (IS_NOSUID(bprm->inode)
|| (current->flags & PF_PTRACED)
|| (current->fs->count > 1)
|| (current->sig->count > 1)
|| (current->files->count > 1)) /*XXX jepler*/ {
if (!suser())
return -EPERM;
}
}

XXX marks the line which keeps us safe in the face of CLONE_FILES.

Copies of my non-exploit are available on reques.

Jeff

--
\/ jepler@inetnebr.com http://incolor.inetnebr.com/jepler/ (0|1(01*0)*1)+
HOW YOU CAN TELL THAT IT'S GOING TO BE A ROTTEN DAY:
        #1040 Your income tax refund cheque bounces.

Next message: long-morrow@CS.YALE.EDU: "Re: SSH LocalForward"
Previous message: Sevo Stille: "Re: SSH LocalForward"
Next in thread: Marc Slemko: "Re: Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork()"