On Tue, Jan 24, 2012 at 10:10, Jeffrey Walton <[email protected]> wrote:
> Does ptrace defeat -fPIE? > > No. When I find the offset via ptrace, I do this in a different /bin/su than the one I eventually use for injection. This is because when you ptrace an executable, if it is SUID, it will *drop* its SUIDness if it's being ptraced. This is an obvious security enhancement. Since ptrace allows you to write arbitrary memory, if this wasn't in place, then this attack would have been trivial long ago. Because I ptrace one /bin/su and inject on another, PIE still deters the attack, because the addresses will be different each time. What ptracing does provide over the objdump approach is that it allows you to determine the offset without having read access to the suid executable, which is something required for some security conscious distributions, for example, Gentoo.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
