sandbox-rlimit and ptrace.
Pawel Jakub Dawidek
pjd at FreeBSD.org
Sun Dec 22 12:56:56 EST 2013
On Sat, Dec 21, 2013 at 07:54:02AM +1100, Damien Miller wrote:
> On Fri, 20 Dec 2013, Pawel Jakub Dawidek wrote:
>
> > I was wondering if the following attack would be feasible once I'm able
> > to break into rlimit sandbox.
> >
> > Because sandboxed process that handles unauthenticated session is
> > running as the 'sshd' user I was wondering if this could be used to jump
> > between processes using ptrace(2). For example if I find a bug in the
> > code executed before authentication I could use ptrace(2) to attach to
> > another unprivileged processes running with the same credentials as I
> > am. If I understand correctly this sandbox process is responsible for
> > extracting credentials of the connecting user from the protocol, which
> > means if I attach to a process handling root loggining in with a
> > password I could obtain root's password.
> >
> > Can someone confirm or tell me what am I missing?
>
> It shouldn't be possible because the child process has a setuid in its
> history and this should deny ptrace of the process by any user but root.
Indeed, thanks.
--
Pawel Jakub Dawidek http://www.wheelsystems.com
FreeBSD committer http://www.FreeBSD.org
Am I Evil? Yes, I Am! http://mobter.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20131222/9afcf1bb/attachment.bin>
More information about the openssh-unix-dev
mailing list