Full Disclosure mailing list archives

Re: Symlink vulnerabilities

From: xD 0x41 <secn3t () gmail com>
Date: Wed, 26 Oct 2011 10:33:42 +1100

Hi Michael,
    I will try to lever it past , using some extra code, but it will still
bump into aslr I think.
When i see you commenting on it and backing iwhat i have said, It makes me
think that, i am pobably right on this one.
Anyhow, i will leave it here , I think i have said what needs to be, that
is, it is not a kernel object that is simply 8won* with any race condition,
any binary... and b. there is much better protection against this stuff,
than there ever has been, in even lower level Vanilla boxes (ie; ubuntu is a
major target for this stuff...).
if Tavis can make it work, then, i dont see how i can beat that, he is far
superior to me in this area, and i bow to him.
Although, i believe him and vlad are both incorrect, and, the Ubuntu and
Debvian secteams have been RIGHT in leaving it low priority,and this is
simply because i have always read theyre gits and watched the pulls etc,
theyre not talking much about it, they have spoken of it and recreated it
obviously from theyre own talks, but, they must also have bumped into this
same problem..
i know there is ways around it, but NOT using this binary....not this
method.
I mean nobody any disrespect, I just wanted to be sure, we are prioritising
even what is posted to the list for example, and even such a small area, it
is very important to discuss, and hat olor dont matter, this affects all
boxes, even the black ones...as i see things.
I will try better but, sofar, no banan with this binary, only flaws from it
being blocked everytime...and no hope with using cron sofar to make it alth
i dare not even try since it could not bypass to gain root, i kinda stopped
code productin there, wich is all but of abbout 10linjes anyhow.. i think
many people could easily repriuce the said PoC, but, i guess it would take
alot more than just some symlink trick to push this one any further.
Cheers,
xd


On 26 October 2011 10:04, Michal Zalewski <lcamtuf () coredump cx> wrote:

You can make it bypass Aslr ?


No, you are absolutely correct, this vulnerability can't be used to
bypass ASLR. Score one for address space randomization.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Symlink vulnerabilities, (continued)
- - Re: Symlink vulnerabilities bugs (Oct 22)
    - Re: Symlink vulnerabilities Leon Kaiser (Oct 24)
    - Re: Symlink vulnerabilities bugs (Oct 24)
- Re: Symlink vulnerabilities vladz (Oct 24)
  - Re: Symlink vulnerabilities xD 0x41 (Oct 25)
    - Re: Symlink vulnerabilities Tavis Ormandy (Oct 25)
    - Re: Symlink vulnerabilities bugs (Oct 25)
    - Re: Symlink vulnerabilities Tavis Ormandy (Oct 25)
    - Re: Symlink vulnerabilities xD 0x41 (Oct 25)
    - Re: Symlink vulnerabilities Michal Zalewski (Oct 25)
    - Re: Symlink vulnerabilities xD 0x41 (Oct 25)
    - Re: Symlink vulnerabilities Valdis . Kletnieks (Oct 25)
    - Re: Symlink vulnerabilities xD 0x41 (Oct 25)
    - Re: Symlink vulnerabilities Tavis Ormandy (Oct 25)
    - Re: Symlink vulnerabilities Michal Zalewski (Oct 25)
    - Re: Symlink vulnerabilities dave bl (Oct 25)
    - Re: Symlink vulnerabilities Ryan Sears (Oct 25)
    - Re: Symlink vulnerabilities bugs (Oct 25)
    - Re: Symlink vulnerabilities vladz (Oct 27)
    - Re: Symlink vulnerabilities xD 0x41 (Oct 27)
    - Re: Symlink vulnerabilities Jeffrey Walton (Oct 27)

(Thread continues...)