TOCTTOU vulnerabilities in procfs? How safe are Linux VFSes?

Discussion in 'all things UNIX' started by Gullible Jones, Sep 2, 2014.

  1. Gullible Jones

    Gullible Jones Registered Member

    May 16, 2013
    So, say some privileged service is reading data from the /proc filesystem. It checks that a process has some PID, and then reads stuff from its subdirectory in /proc.

    This is of course a TOCTTOU race condition, because the PID may be associated with a different process when the read occurs.

    e.g. say a privileged server accesses the memory of a client, which runs as a limited user. Noticing this, an attacker
    1. Waits for the check
    2. Kills the client PID
    3. Immediately drops a forkbomb that embeds a nasty payload

    With a bit of bad luck, the forkbomb may grab the same PID, and the server will be tricked into accessing the payload. By the time the admin has recognized the forkbomb symptoms and forced a reboot, the attacker may have persistent root access.

    There are some defenses against this already:
    - Never use procfs from a privileged service
    - Set reasonable ulimits for everyone to prevent forkbombs, etc.
    - Make sure PIDs are generate in an unpredictable fashion

    and this is all quite theoretical, I've never even heard of such an attack in the wild. But keeping things theoretical, I have to ask: how safe are virtual filesystems as a way of accessing process information from userspace? Was the Plan9 "everything is a file" concept naive with respect to security in practice?
  2. Hungry Man

    Hungry Man Registered Member

    May 11, 2011
    PIDs are already generated with a bit of entropy, I believe.