procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use inotify events to determine when the process list is being scanned, and fork/exec to obtain a lower PID, thus avoiding enumeration. An unprivileged attacker can hide a process from procps-ng's utilities by exploiting a race condition in reading /proc/PID entries. This vulnerability affects procps and procps-ng up to version 3.3.15, newer versions might be affected also.
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
| Link | Tags |
|---|---|
| https://www.exploit-db.com/exploits/44806/ | third party advisory vdb entry exploit |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1121 | third party advisory issue tracking |
| http://www.securityfocus.com/bid/104214 | third party advisory vdb entry |
| http://seclists.org/oss-sec/2018/q2/122 | mailing list third party advisory exploit |
| https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt | third party advisory exploit |