[22943] in bugtraq
Re: Flaws in recent Linux kernels
daemon@ATHENA.MIT.EDU (Mariusz Woloszyn)
Mon Oct 22 11:27:00 2001
Date: Mon, 22 Oct 2001 11:19:25 +0200 (EEST)
From: Mariusz Woloszyn <emsi@ipartners.pl>
Cc: bugtraq@securityfocus.com
In-Reply-To: <Pine.LNX.4.31.0110191625290.4215-200000@duck.sh.cvut.cz>
Message-ID: <Pine.LNX.4.04.10110221103120.12025-100000@dzyngiel.ipartners.pl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-2
Content-Transfer-Encoding: 8BIT
Content-ID: <Pine.LNX.4.31.0110191625292.4215@duck.sh.cvut.cz>
Content-Disposition: INLINE
On Fri, 19 Oct 2001, Martin Kacer wrote:
> PS: What about executing suid binary while some other process has our
> /proc/$$/mem opened for writing? Isn't there the same problem too?
> Unfortunately, I do not have enough time to investigate that.
>
VERY quick test: opening mem WRONLY returns EINVAL while write().
But opening /proc/%i/exe of a process that executes suid binary works
well. After exec() another process is able to read suid binary.
[Isn't it known behavior???]
Opening mem RDONLY works, but after exec() of setuid binary read() returns
"no such process".
Thinking 'bout mmaping and other tricks...
Tested on 2.2.19.
--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners
