sandbox-rlimit and ptrace.
Pawel Jakub Dawidek
pjd at FreeBSD.org
Sat Dec 21 00:27:07 EST 2013
I was wondering if the following attack would be feasible once I'm able
to break into rlimit sandbox.
Because sandboxed process that handles unauthenticated session is
running as the 'sshd' user I was wondering if this could be used to jump
between processes using ptrace(2). For example if I find a bug in the
code executed before authentication I could use ptrace(2) to attach to
another unprivileged processes running with the same credentials as I
am. If I understand correctly this sandbox process is responsible for
extracting credentials of the connecting user from the protocol, which
means if I attach to a process handling root loggining in with a
password I could obtain root's password.
Can someone confirm or tell me what am I missing?
--
Pawel Jakub Dawidek http://www.wheelsystems.com
FreeBSD committer http://www.FreeBSD.org
Am I Evil? Yes, I Am! http://mobter.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20131220/19b13c8f/attachment-0001.bin>
More information about the openssh-unix-dev
mailing list