Add PR_SET_PTRACER to process and ssh.process #828

Merged
merged 24 commits into from Jan 4, 2017

Projects

None yet

2 participants

@zachriggle
Contributor
zachriggle commented Dec 28, 2016 edited

Using PR_SET_PTRACER will avoid running into issues with debugging when kernel YAMA security settings are enabled.

These can be disabled locally, but require root access. This is a problem for both rootless Travis CI testing, and e.g. debugging Wargame processes.

PR_SET_PTRACER should have no negative functional effects, and only side-steps the YAMA mitigations (it does not permit any ptracer, UID/GID checks still apply, etc.).

This grants us the ability to do e.g. process.corefile on systems with YAMA enforcing, like Travis.

@zachriggle zachriggle requested a review from Idolf Dec 28, 2016
@zachriggle zachriggle self-assigned this Dec 28, 2016
@zachriggle
Contributor
zachriggle commented Dec 28, 2016 edited

It looks like the core dumps generated by GDB do not contain all of the data, at least as can be seen from PyElfTools.

For example:

$ gcore $$
Saved corefile core.17366
$ readelf -a /proc/$$/exe | grep -i 'Entry point'
  Entry point address:               0x42020b
$ gdb -q --nh --nx /proc/$$/exe core.17366
(gdb) x/wx 0x42020b
0x42020b <_start>:      0x8949ed31
(gdb) q
$ python
>>> from pwn import *
>>> c=Core('core.17366')
>>> c.u32(0x42020b)
0
>>> seg = next(s for s in c.segments if s.header.p_vaddr <= 0x42020b and 0x42020b < s.header.p_vaddr + s.header.p_memsz)
>>> seg.header
Container({'p_memsz': 978944, 'p_flags': 5, 'p_offset': 7136, 'p_type': 'PT_LOAD', 'p_align': 1, 'p_paddr': 0, 'p_filesz': 0, 'p_vaddr': 4194304})
>>> seg.data()
''
>>> data = read(c.file.name)
>>> data[7136:7136+4]
'\x00\x00\x00\x00'

We can see that it looks like GDB is pulling the data directly from the original file.

$ strace -x -P /bin/bash gdb -q --batch --nh --nx --ex 'x/wx 0x42020b' /bin/bash core.17366
...
lseek(8, 131072, SEEK_SET)              = 131072
read(8, "\x0f\x85\x0c\xfc\xff\xff\x48\x8b\x3d\xbb\x8c\x2d\x00\xe8\x8e\xdc\xff\xff\x89\xc7\xe8\x57\xf2\x06\x00\x85\xc0\x0f\x85\xf1\xfb\xff"..., 4096) = 4096
0x42020b <_start>:      0x8949ed31
@zachriggle zachriggle added this to the Someday milestone Jan 3, 2017
zachriggle added some commits Dec 14, 2016
@zachriggle zachriggle Add PR_SET_PTRACER to initialization, and add doctests for process.le…
…ak/corefile
da7bd22
@zachriggle zachriggle Add PR_SET_PTRACER to SSH processes c9582f6
@zachriggle zachriggle Do not warn about YAMA if we dont need to 41be9a2
@zachriggle zachriggle Fix doctest to use raw strings e093f3a
@zachriggle zachriggle Fix typo in doctest cd45ecd
@zachriggle zachriggle Apparently GDB is not installed on Travis by default a3aac27
@zachriggle zachriggle Add warning message to process("foo") vs process("./foo") d312629
@zachriggle zachriggle Add gdb.corefile; make run_in_new_terminal return a PID 018f2f0
@zachriggle zachriggle Intentionally break doctest because I dont believe that it worked 30b8aba
@zachriggle zachriggle Fix codacy issues 0515e5d
@zachriggle zachriggle Fix gdb.attach return value c6dd6b3
@zachriggle zachriggle Add missing import c0aadc8
@zachriggle zachriggle Fix typo, use waitpid 9fa88a7
@zachriggle zachriggle Refactor some code into gdb.version / gdb.binary b61ab53
@zachriggle zachriggle Permit GDB with multipart versions 957a757
@zachriggle zachriggle Fix repr() on Corefile a9f2bdf
@zachriggle zachriggle Silence run-in-new-terminal message for gdb.corefile cf9cd23
@zachriggle zachriggle Fix version number 0abdaac
@zachriggle zachriggle Remove Yama warning message entirely, it should no longer be necessary a5c587a
@zachriggle zachriggle Version detection is hard. Regular expressions to the rescue! 65e908c
@zachriggle zachriggle Remove process.kill/stop/resume, those will be a different PR e2590bd
@zachriggle zachriggle Fix doctests 339c675
@zachriggle zachriggle The GDB used by Travis must be so old!
9d213fc
@Idolf
Idolf approved these changes Jan 3, 2017 View changes

While I haven't reviewed all of this in detail, it looks nice.

As long as you test it as well, as you deem feasible, you have my LGTM.

@zachriggle zachriggle Apparently Travis is entirely borked. Use a less robust test.
2e73076
@zachriggle zachriggle merged commit cca9782 into Gallopsled:dev Jan 4, 2017

2 of 3 checks passed

coverage/coveralls Coverage decreased (-1.3%) to 54.702%
Details
codacy/pr Good work! A positive pull request.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@zachriggle zachriggle deleted the zachriggle:pr-set-ptracer branch Jan 4, 2017
@zachriggle
Contributor

Travis and Codacy passed, Coveralls failed. There's currently no tests for any of the GDB functionality, so that's fine.

@Idolf Idolf modified the milestone: 3.5.0, Someday Jan 10, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment