Hosting Provided By

Re: ptrace in linux kernel

From: D.C. van Moolenbroek <xanadu(at)chello.nl>
Date: Mon Mar 24 2003 - 17:36:11 EST

Linux uses PIDs sequentially: if the last spawned process was assigned pid N, then the next spawned process will be assigned pid N+1, starting from 1 and wrapping to 300 at 32768.

That means you can easily "guess" the PID of a kernel process: for example, spawn a child in your exploit program, then start the kernel process (eg. using a socket() call with an unused protocol, as seen in a few exploits), and the kernel process will _probably_ have a PID equal to the PID of the child plus one.

Of course, this will go wrong when there is another process created in the meantime - and that is far from theoretical on a system with lots of activity. However, this is easy to detect, because the ptrace attach operation will fail in that case.

Regards,

David

"Marcus Tangermann" wrote:
> As far as I understand the problem with the ptrace bug in the linux

--
class sig{static void main(String[]s){for// D.C. van Moolenbroek
(int _=0;19>_;System.out.print((char)(52^// (CS student, VU, NL)
"Y`KbddaZ}`P#KJ#caBG".charAt(_++)-9)));}}// -Java sigs look bad-

Received on Mon Mar 24 17:53:22 2003

This message: [ Message body ]
Next message: Pavel Kankovsky: "Re: Backup Agents"
In reply to Marcus Tangermann: "ptrace in linux kernel"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT

Do you need help?