250972 – (CVE-2007-3848) CVE-2007-3848 Privilege escalation via PR_SET_PDEATHSIG

Bug 250972 (CVE-2007-3848) - CVE-2007-3848 Privilege escalation via PR_SET_PDEATHSIG

Summary: CVE-2007-3848 Privilege escalation via PR_SET_PDEATHSIG

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2007-3848
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Peter Zijlstra
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	251115 251116 251117 251118 251119 252306 252307
Blocks:
TreeView+	depends on / blocked

Reported:	2007-08-06 09:06 UTC by Marcel Holtmann
Modified:	2019-09-29 12:20 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2007-11-01 13:35:04 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2007:0939	normal	SHIPPED_LIVE	Important: kernel security update	2008-01-07 18:58:13 UTC
Red Hat Product Errata	RHSA-2007:0940	normal	SHIPPED_LIVE	Important: kernel security update	2007-10-22 10:52:41 UTC
Red Hat Product Errata	RHSA-2007:1049	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2007-12-03 15:37:55 UTC
Red Hat Product Errata	RHSA-2008:0787	normal	SHIPPED_LIVE	Important: kernel security update	2009-01-05 07:08:54 UTC
Red Hat Product Errata	RHSA-2009:0001	normal	SHIPPED_LIVE	Important: kernel security update	2009-01-08 15:47:52 UTC

Description Marcel Holtmann 2007-08-06 09:06:01 UTC

Reported by Vulnerability Research Labs, COSEINC PTE Ltd.

An unprivileged user may send arbitrary signal to a child process even
if it is running with higher privileges.

When a parent process dies or exits its child processes may receive a
signal.  Each child process may choose and set its own "parent process
death signal" using PR_SET_PDEATHSIG function of the prctl() system
call. 

        PARENT          CHILD
        ----------------------------------------------------------------
        fork()
                        prctl(PR_SET_PDEATHSIG)
        exit()'ed or killed
                        child receives the signal

The parent process death signal is not reset over execve() system call
and is inherited by spawned process:

        PARENT          CHILD
        ----------------------------------------------------------------
        fork()
                        prctl(PR_SET_PDEATHSIG)
                        execve("./a.out")
        exit()'ed or killed
                        child receives the signal

The signal gets delivered only if parent process has sufficient
privileges to send signals to child processes. Typically any child
process running with higher privilege than its parent will receive no
signal. 

        PARENT          CHILD
        ----------------------------------------------------------------
        fork()
                        prctl(PR_SET_PDEATHSIG)
                        execve("/bin/setuid-binary")
        exit()'ed or killed
                        child receives NO signal this time

However, above restriction may be bypassed if parent process execute
setuid-root binary which dies afterwards.

        PARENT          CHILD
        ----------------------------------------------------------------
        fork()
                        prctl(PR_SET_PDEATHSIG)
                        execve("/bin/setuid-binary")
        execve("/bin/setuid-binary")
        exit()'ed or killed
                        privileged process receives the signal

Comment 6 Marcel Holtmann 2007-08-14 16:14:13 UTC

This went public today:

http://marc.info/?l=openwall-announce&m=118710356812637&w=2

Comment 8 Marcel Holtmann 2007-08-17 19:33:35 UTC

The post of their advisory can be found here:

http://marc.info/?l=bugtraq&m=118711306802632&w=2

Note You need to log in before you can comment on or make changes to this bug.