Re: New Security Features, Please Comment

From: Valdis . Kletnieks
Date: Thu Dec 04 2008 - 22:35:51 EST

On Fri, 05 Dec 2008 09:30:54 +1100, Geoffrey McRae said:
> On Thu, 2008-12-04 at 16:56 -0500, Valdis.Kletnieks@xxxxxx wrote:

> > while (getpid()) msleep(1);
> > /* malicious code here */
> >
> This would only be dangerous if the parent did not wait for the child to
> finish its task before changing its uid, which for a FastCGI app, it has
> to as it needs the response to send back to the client. All that would
> happen here is the CGI script would sleep forever, or until the HTTP
> server killed the process.

Thus providing me with a way to DoS your webserver by sticking all your
server processes into a sleep-forever... :)

You're also overlooking the fact that the malicious code could do something
like this:

/* send the parent something that makes it *think* the request finished */
printf("We're all done now\n");
while (getpid()) msleep (1);

Remember - whatever the child is doing to signal that it's done, can *also*
be done by the exploit code. There's only one real exception - the child
can call exit() - if the exploit exits so a SIGCHLD is generated, then
it can't run anymore. However, since the whole *point* here is avoiding
the usual exit/fork/exec overhead...

Attachment: pgp00000.pgp
Description: PGP signature