ID CVE-2018-1121
Summary procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.
References
Vulnerable Configurations
  • cpe:2.3:a:procps__project:procps:3.3.15
    cpe:2.3:a:procps__project:procps:3.3.15
CVSS
Base: 4.3
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
exploit-db via4
description Procps-ng - Multiple Vulnerabilities. CVE-2018-1120,CVE-2018-1121,CVE-2018-1122,CVE-2018-1123,CVE-2018-1124. Local exploit for Linux platform. Tags: Denial o...
file exploits/linux/local/44806.txt
id EDB-ID:44806
last seen 2018-05-30
modified 2018-05-30
platform linux
port
published 2018-05-30
reporter Exploit-DB
source https://www.exploit-db.com/download/44806/
title Procps-ng - Multiple Vulnerabilities
type local
nessus via4
NASL family Gentoo Local Security Checks
NASL id GENTOO_GLSA-201805-14.NASL
description The remote host is affected by the vulnerability described in GLSA-201805-14 (procps: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in procps. Please review the CVE identifiers referenced below for details. Impact : A local attacker could execute arbitrary code, escalate privileges, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
last seen 2018-09-05
modified 2018-09-04
plugin id 110255
published 2018-05-31
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=110255
title GLSA-201805-14 : procps: Multiple vulnerabilities
packetstorm via4
data source https://packetstormsecurity.com/files/download/147806/qualys-procps-ng-audit-report.txt
id PACKETSTORM:147806
last seen 2018-05-24
published 2018-05-22
reporter qualys.com
source https://packetstormsecurity.com/files/147806/Procps-ng-Audit-Report.html
title Procps-ng Audit Report
refmap via4
bid 104214
confirm https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1121
gentoo GLSA-201805-14
misc https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt
mlist [oss-security] 20180517 Qualys Security Advisory - Procps-ng Audit Report
Last major update 13-06-2018 - 16:29
Published 13-06-2018 - 16:29
Last modified 21-10-2018 - 06:29
Back to Top