4910386 2000-03-17 03:06 /67 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <10250> Ärende: Process hiding in linux ------------------------------------------------------------ Hi! /proc/pid allows strange tricks (2.3.49): pavel@bug:~/misc$ while1 & [1] 1349 pavel@bug:~/misc$ delayed_cat /proc/1349/status [2]+ Stopped delayed_cat /proc/1349/status pavel@bug:~/misc$ ./phide [spawns 32450 processes and lets them exit] pavel@bug:~/misc$ kill -9 1349 pavel@bug:~/misc$ ps aux | grep grep Warning: /boot/System.map has an incorrect kernel version. Warning: /usr/src/linux/System.map has an incorrect kernel version. pavel 1337 0.0 0.5 844 336 tty1 S 22:29 0:00 grep grep [1]- Killed while1 [repeating so we are near wrapparound] pavel@bug:~/misc$ ps aux | grep grep Warning: /boot/System.map has an incorrect kernel version. Warning: /usr/src/linux/System.map has an incorrect kernel version. pavel 1347 0.0 0.5 844 336 tty1 S 22:30 0:00 grep grep pavel@bug:~/misc$ while1 & while1 & while1 & while1 & while1 & [3] 1348 [4] 1349 [5] 1351 [6] 1352 [7] 1353 pavel@bug:~/misc$ kill 1348 1351 1352 1353 *Then* on the other console: So what we have is process 1350 *hiding* process 1349. (Process apears on listings, but it is marked as zombie, while it is running in the background.) pavel@bug:~$ ps aux | grep 1349 Warning: /boot/System.map has an incorrect kernel version. Warning: /usr/src/linux/System.map has an incorrect kernel version. pavel 1350 0.0 0.3 724 224 tty1 T 22:28 0:00 delayed_cat /proc/1349/status pavel 1349 12.1 0.0 0 0 tty1 Z 22:28 0:34 [while1 <defunct>] pavel 1361 0.0 0.5 844 332 tty2 S 22:33 0:00 grep 1349 pavel@bug:~$ kill -9 1350 pavel@bug:~$ ps aux | grep 1349 Warning: /boot/System.map has an incorrect kernel version. Warning: /usr/src/linux/System.map has an incorrect kernel version. pavel 1349 88.2 0.3 720 216 tty1 R 22:30 2:46 while1 pavel 1363 0.0 0.5 844 332 tty2 S 22:33 0:00 grep 1349 pavel@bug:~$ Pavel PS: It was Pavel Kankovsky who told me something like this might be possible. I believe this is security problem. -- I'm pavel@ucw.cz. "In my country we have almost anarchy and I don't care." Panos Katsaloulis describing me w.r.t. patents me at discuss@linmodems.org (4910386) ------------------------------------------(Ombruten) Kommentar i text 4918682 av Brevbäraren (som är implementerad i) Python Läsa nästa kommentar. 4918682 2000-03-20 11:08 /30 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <10290> Kommentar till text 4910386 av Brevbäraren (som är implementerad i) Python Ärende: Re: Process hiding in linux ------------------------------------------------------------ At 11:44pm Mar 15, 2000, Pavel Machek wrote: > /proc/pid allows strange tricks (2.3.49): > pavel@bug:~/misc$ ps aux | grep grep > Warning: /boot/System.map has an incorrect kernel version. > Warning: /usr/src/linux/System.map has an incorrect kernel version. ... interesting bits about /proc/$PID/status interface and how having an open filehandle to a defunct proc's status can hide info from ps ... 1) The 2.3.x series [like all N.M.x kernels where ((M % 2) == 1)] are development kernels, not for production use. 2) The 2.3.x development tree is up to 2.3.99-pre1, according to http://www.kernel.org/ (Granted, 2.3.49 was only superceded nine days ago, and 2.3.99-pre1 appears to really be 2.3.52, but that just goes to illustrate that this is a developers' alpha release.) In other words, check it on the current code (and what's up with having the wrong System.map installed?) and post to the linux kernel-dev mailing list if the dev kernel seems to have a bug. If they ignore you and seem happy to release what you believe to be a product with a security flaw, let the world know. -Peter http://www.bastille-linux.org/ : working towards more secure Linux systems (4918682) ------------------------------------------(Ombruten) Kommentar i text 4922798 av Brevbäraren (som är implementerad i) Python Läsa nästa kommentar. 4922798 2000-03-21 06:19 /39 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <10317> Kommentar till text 4918682 av Brevbäraren (som är implementerad i) Python Ärende: Re: Process hiding in linux ------------------------------------------------------------ Hi! > > /proc/pid allows strange tricks (2.3.49): > > > pavel@bug:~/misc$ ps aux | grep grep > > Warning: /boot/System.map has an incorrect kernel version. > > Warning: /usr/src/linux/System.map has an incorrect kernel version. > > ... interesting bits about /proc/$PID/status interface and how having > an open filehandle to a defunct proc's status can hide info from ps ... > > 1) The 2.3.x series [like all N.M.x kernels where ((M % 2) == 1)] are > development kernels, not for production use. I know _that_. And? This bug is 99% going to be in 2.4.0. > 2) The 2.3.x development tree is up to 2.3.99-pre1, according to > http://www.kernel.org/ (Granted, 2.3.49 was only superceded nine > days ago, and 2.3.99-pre1 appears to really be 2.3.52, but that just > goes to illustrate that this is a developers' alpha release.) I do read released patches, and when something would drastiacally change in fs/proc, I would probably notice. > In other words, check it on the current code (and what's up with having > the wrong System.map installed?) and post to the linux kernel-dev mailing > list if the dev kernel seems to have a bug. If they ignore you and seem > happy to release what you believe to be a product with a security flaw, > let the world know. I already did that week or so ago. Pavel -- The best software in life is free (not shareware)! Pavel GCM d? s-: !g p?:+ au- a--@ w+ v- C++@ UL+++ L++ N++ E++ W--- M- Y- R+ (4922798) ------------------------------------------