Vigil@nce: Linux kernel, sending a signal to parent via clone
February 2009 by Marc Jacob
SYNTHESIS OF THE VULNERABILITY
A process can use clone() to kill its parent process, even if it
does not have sufficient privileges.
Gravity: 1/4
Consequences: denial of service of service
Provenance: user shell
Means of attack: 1 proof of concept
Ability of attacker: specialist (3/4)
Confidence: unique source (2/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 25/02/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The clone() system call creates a new process. The CLONE_PARENT
flag indicates that the parent of this process is the same as the
parent of the current process (there are "brothers"). The third
parameter of clone() can also indicate the signal to send to the
father when the child ends (SIGCHLD by default).
However, the kernel does not forbid the new process to send a
SIGKILL signal to the parent process, even it is privileged. The
current process thus asks to his "brother" to kill their parent
process.
For example, if attacker’s code runs in a child process created by
a daemon, he can kill the daemon.
CHARACTERISTICS
Identifiers: BID-33906, CESA-2009-002, VIGILANCE-VUL-8493
http://vigilance.fr/vulnerability/Linux-kernel-sending-a-signal-to-parent-via-clone-8493