PID re-use vulnerability #2995
Comments
|
Additional note: it seems that Flatpak uses Bubblewrap's
While PID namespaces make it more difficult for a malicious app to perform PID re-use attacks, I still think it's possible (assuming the default max PID, estimating the number of dummy processes that we need to create, opening as many sockets as possible in the first child process to get multiple tries, doing a dry run to gather data, maybe D-Bus' |
|
I don't think it is worth to keep an issue open for this. Please reopen this if you do the research and find an actual vulnerability |
|
Note to self: the X11 XRes extension is another way for a process to discover its PID outside of the namespace. |
Disclaimer: I haven't actually checked whether this is an actual vulnerability. Please consider this more like a question.
Is Flatpak vulnerable to PID re-use?
The principle of PID re-use is:
Here is a rough, incomplete PoC: https://paste.sr.ht/%7Eemersion/58bd06c2f57e3c8dedb625af6719ce7b8149c0c7
In practice, a "privileged process" means a process outside of a Flatpak, or a Flatpak process with additional permissions. A malicious app could rely on luck or on social engineering for this to happen.
It seems to me that the PID is used in quite a few places to identify the process on the other end of the connection:
flatpak/portal/flatpak-portal-app-info.c
Line 100 in e8816b7
Thoughts?
The text was updated successfully, but these errors were encountered: