[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Attacks based on predictable process IDs??
- To: Christopher Allene <cwis@nerim.fr>, Full Disclosure <full-disclosure@lists.netsys.com>
- Subject: Re: [Full-Disclosure] Attacks based on predictable process IDs??
- From: Brett Hutley <brett@hutley.net>
- Date: Wed, 26 Nov 2003 14:30:12 +1100
Christopher Allene wrote:
Brett Hutley (brett@hutley.net) wrote on 2003-11-26 at 11:32:
Folks, does anyone know why predictable process IDs are considered harmful?
Predictable process IDs can be used as a vector to attack programs
vulnerable to race conditions in /tmp file creation, in case those
programs use their PID to create a file, meaning you could possibly
create one (or, for "practical" uses, more often a link or a named pipe)
first.
Programs which uses the following pseudo-code are also vulnerable:
srand (getppid ());
because the sequence of the so-called rand()om numbers is predictible.
(Arguably, calling srand() passing a xor of your PID and the current
time is no better. See perldoc -f srand for a discussion on this, I'm
getting offtopic.)
Hmmm... so it's more a case of badly written program using the process
ID in an insecure way causes the vulnerability rather than a predictable
process ID causing a vulnerability itself?
Thus, I remember a really weird situation where predictable PIDs were
used to compromise security, it was discussed on BugTraq a while ago,
but I couldn't find a track of it in my BT archive... anyone?
--
Brett Hutley [MAppFin,CISSP,SANS GCIH]
mailto:brett@hutley.net
http://hutley.net/brett
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html