> Among other things mentioned in this thread, just take a look on exploit
> technique used in recent kernel_thread()/ptrace() race condition in
> Linux kernel. That exploit needed to PTRACE_ATTACH to newly created
> thread (invoked "automatically" by kmod) before it was possible to know
> PID of this newly created thread. So it used simple heuristic - current
> pid + 1, which was true on most systems without PID randomization.
Exploit attaches to spawned kmod process that actually must have its pid.
It doesn't have to predict the PID before the process is created.
Even if the PID is choosen randomly there are at least three techniques
that allow to guess it's value easily:
1. Scanning /proc directory tree to determine new entries
2. Using kill(pid, 0) to verify each pid's existence
3. Use some of other syscalls that gets pid as an argument and analyse
error value returned:
waitpid
wait4
ptrace
setpgid
getpgid
capget
...and maybe some others.
15 bits of randomness isn't sufficient to prevent guessing its value.
Cheers,
wp
--
Wojciech Purczynski
iSEC Security Research
http://isec.pl/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
