| Description |
In socket.c lines 646 and 882 time-of-check/time-of-use (TOCTOU) race conditions exist with regards to sending signals to user supplied PIDs in setuid-root context.
The CheckPid() function drops privileges to the real user ID and tests whether the kernel allows to send a signal to the target PID using these credentials. The actual signal is sent later via Kill(), potentially using full root privileges. By this time, the PID that was previously checked could have been replaced by a different, privileged process. It might also be possible to trick the (privileged) Screen daemon process into sending signals to itself, since a process is always allowed to send signals to itself.
Currently this should only allow to send SIGCONT and SIGHUP signals, thus the impact is likely only in the area of a local denial of service or a minor integrity violation. |