ptrace allows you to read -r files

ptrace allows you to read -r files

[Andrew Griffiths]

[-- Attachment #1: Type: text/plain, Size: 651 bytes --]

Hello everyone,

While playing around I noticed that if I fork()ed, then did ptrace(PTRACE_TRACEME,...) then exec'd a non-readable binary, the ptrace interface would let me read the binary.

This was tested on 2.4.17ctx-5 (the security context patch), however I have been told it works on vanilla kernels, also I tested it on 2.4.2-pax on an old machine. (pentium 75...)

For those who want some demo code, you can find it at http://203.39.161.186/readbin.tgz.

For testing it, I used /usr/bin/ssh which was rws--x--x.

Since I'm not subscribed to this list, could any replies be cc'd to me? Thanks.

Sincerely,
Andrew Griffiths


--
www.tasmail.com


[-- Attachment #2: readbin.tgz --]
[-- Type: application/octet-stream, Size: 24816 bytes --]

Re: ptrace allows you to read -r files

[Daniel Jacobowitz]

On Tue, Feb 05, 2002 at 11:33:32AM +1100, Andrew Griffiths wrote:
> Hello everyone,
> 
> While playing around I noticed that if I fork()ed, then did ptrace(PTRACE_TRACEME,...) then exec'd a non-readable binary, the ptrace interface would let me read the binary.
> 
> This was tested on 2.4.17ctx-5 (the security context patch), however I have been told it works on vanilla kernels, also I tested it on 2.4.2-pax on an old machine. (pentium 75...)
> 
> For those who want some demo code, you can find it at http://203.39.161.186/readbin.tgz.
> 
> For testing it, I used /usr/bin/ssh which was rws--x--x.
> 
> Since I'm not subscribed to this list, could any replies be cc'd to me? Thanks.

I think this is just 'known'.  Note that it isn't a security problem
otherwise; you'll find that the setuid application does not setuid if
it is ptraced.  On 2.4.17 at least.


-- 
Daniel Jacobowitz                           Carnegie Mellon University
MontaVista Software                         Debian GNU/Linux Developer

Re: ptrace allows you to read -r files

[Andrew Griffiths]

G'day,

After talking to some people, they confirm it is known, but what is the point of -r'ing binaries it if it can be read?

While it may not be a direct security threat, being able to look inside an otherwise unreadable binary can be a problem, for example, seeing if it is working or not, or possibly got entries for format strings.

Also some programs have a secret value inside them they use for authenication with remote clients. (Possibly Q by mixter @ mixter.warrior2k.com rings a bell).

While I guess there is no standard for ptrace, what do the other operating systems do? I've been told freebsd won't allow you to ptrace() a non-readable binary, but unable to confirm it myself.

On Monday, February 04, 2002 at 10:06:28 PM, Daniel Jacobowitz wrote:

> On Tue, Feb 05, 2002 at 11:33:32AM +1100, Andrew Griffiths wrote:
> > For those who want some demo code, you can find it at http://203.39.161.186/readbin.tgz.
>>
> I think this is just 'known'.  Note that it isn't a security problem
> otherwise; you'll find that the setuid application does not setuid if
> it is ptraced.  On 2.4.17 at least.
> 
> 

--
www.tasmail.com