In a CTF style exercise I got, there is a server that uses fork() and an exec function to run a binary for each client connection. I was able to find a vulnerability in the binary that allows me to call an arbitrary address and also to leak information. I thought I'd use that to leak a libc function's (say printf) address from the process' import table, then use that to find the address of system and run that. My assumption - which is reinforced by everything I read online - is that ASLR only randomizes libc's location in the parent process, and all child processes should have the same location for it. So I should be able to leak the address in one connection and use it in another. However I seem to get a different address for printf each time. Running locally I can also use GDB and confirm that the address changes each time. So what's going on?
It's not the fork that's getting you, it's the exec. When a process does an exec, it gets a completely new address space, losing all of the dynamic libraries that it had loaded, including libc. The dynamic linker loads the libraries that the new program needs, giving them new addresses. Every exec is an opportunity to randomize library addresses again.