Full Disclosure mailing list archives
Re: Symlink vulnerabilities
From: xD 0x41 <secn3t () gmail com>
Date: Wed, 26 Oct 2011 10:33:42 +1100
Hi Michael, I will try to lever it past , using some extra code, but it will still bump into aslr I think. When i see you commenting on it and backing iwhat i have said, It makes me think that, i am pobably right on this one. Anyhow, i will leave it here , I think i have said what needs to be, that is, it is not a kernel object that is simply 8won* with any race condition, any binary... and b. there is much better protection against this stuff, than there ever has been, in even lower level Vanilla boxes (ie; ubuntu is a major target for this stuff...). if Tavis can make it work, then, i dont see how i can beat that, he is far superior to me in this area, and i bow to him. Although, i believe him and vlad are both incorrect, and, the Ubuntu and Debvian secteams have been RIGHT in leaving it low priority,and this is simply because i have always read theyre gits and watched the pulls etc, theyre not talking much about it, they have spoken of it and recreated it obviously from theyre own talks, but, they must also have bumped into this same problem.. i know there is ways around it, but NOT using this binary....not this method. I mean nobody any disrespect, I just wanted to be sure, we are prioritising even what is posted to the list for example, and even such a small area, it is very important to discuss, and hat olor dont matter, this affects all boxes, even the black ones...as i see things. I will try better but, sofar, no banan with this binary, only flaws from it being blocked everytime...and no hope with using cron sofar to make it alth i dare not even try since it could not bypass to gain root, i kinda stopped code productin there, wich is all but of abbout 10linjes anyhow.. i think many people could easily repriuce the said PoC, but, i guess it would take alot more than just some symlink trick to push this one any further. Cheers, xd On 26 October 2011 10:04, Michal Zalewski <lcamtuf () coredump cx> wrote:
You can make it bypass Aslr ?No, you are absolutely correct, this vulnerability can't be used to bypass ASLR. Score one for address space randomization. /mz
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Symlink vulnerabilities, (continued)
- Re: Symlink vulnerabilities bugs (Oct 22)
- Re: Symlink vulnerabilities Leon Kaiser (Oct 24)
- Re: Symlink vulnerabilities bugs (Oct 24)
- Re: Symlink vulnerabilities bugs (Oct 22)
- Re: Symlink vulnerabilities vladz (Oct 24)
- Re: Symlink vulnerabilities xD 0x41 (Oct 25)
- Re: Symlink vulnerabilities Tavis Ormandy (Oct 25)
- Re: Symlink vulnerabilities bugs (Oct 25)
- Re: Symlink vulnerabilities Tavis Ormandy (Oct 25)
- Re: Symlink vulnerabilities xD 0x41 (Oct 25)
- Re: Symlink vulnerabilities Michal Zalewski (Oct 25)
- Re: Symlink vulnerabilities xD 0x41 (Oct 25)
- Re: Symlink vulnerabilities xD 0x41 (Oct 25)
- Re: Symlink vulnerabilities Valdis . Kletnieks (Oct 25)
- Re: Symlink vulnerabilities xD 0x41 (Oct 25)
- Re: Symlink vulnerabilities Tavis Ormandy (Oct 25)
- Re: Symlink vulnerabilities Michal Zalewski (Oct 25)
- Re: Symlink vulnerabilities dave bl (Oct 25)
- Re: Symlink vulnerabilities Ryan Sears (Oct 25)
- Re: Symlink vulnerabilities bugs (Oct 25)
- Re: Symlink vulnerabilities vladz (Oct 27)
- Re: Symlink vulnerabilities xD 0x41 (Oct 27)
- Re: Symlink vulnerabilities Jeffrey Walton (Oct 27)