Full Disclosure mailing list archives
Re: Symlink vulnerabilities
From: vladz <vladz () devzero fr>
Date: Tue, 25 Oct 2011 20:54:49 +0200
Hi, On Tue, Oct 25, 2011 at 12:06:25PM +0200, Tavis Ormandy wrote:
xD 0x41 <secn3t () gmail com> wrote:Your 'race condition possibly leading to root'is a myth... Yes thats maybe because race condition or not, it is ASLR wich will prevent from ANY rootshell,and Yes, it has bveen tried... You can do better, go right ahed ;-) I am betting you thats why it aint being ptached in any hurry, because obv if you read some notes about it in the committs, you will see they must have reproduced the said bugs, in and with, more than JUST bzexe even... but anyhow, your PoC is bs.I think you misunderstood, he's not talking about memory corruption, his attack sounds like a legitimate filesystem race. I'll try to explain, the bzexe utility compresses executables and then decompresses them at runtime by prepending a decompression stub.
Thank you for explaining him, I thought he was not replying to the good thread.
I think it's quite a nice example, and a nice simple solution. Imagine a system where crond executes a bzexe utility at regular intervals, Vladz' attack will eventually succeed.
Even if bzexe is not used that much, I found similar configurations (compressed binaries launched via crond) on embedded systems (I think this is why bzexe was made for). vladz. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Symlink vulnerabilities, (continued)
- Re: Symlink vulnerabilities xD 0x41 (Oct 27)
- Re: Symlink vulnerabilities Benjamin Renaut (Oct 27)
- Re: Symlink vulnerabilities Benjamin Renaut (Oct 27)
- Re: Symlink vulnerabilities bugs (Oct 27)
- Re: Symlink vulnerabilities Benjamin Renaut (Oct 27)
- Re: Symlink vulnerabilities bugs (Oct 27)
- Re: Symlink vulnerabilities vladz (Oct 27)
- Re: Symlink vulnerabilities Benjamin Renaut (Oct 27)
- Re: Symlink vulnerabilities xD 0x41 (Oct 27)
- Re: Symlink vulnerabilities xD 0x41 (Oct 25)
- Re: Symlink vulnerabilities vladz (Oct 25)
- Re: Symlink vulnerabilities xD 0x41 (Oct 25)