Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Symlink vulnerabilities

From: xD 0x41 <secn3t () gmail com>
Date: Wed, 26 Oct 2011 10:46:19 +1100
Even if bzexe is not used that much, I found similar configurations
(compressed binaries launched via crond) on embedded systems (I think
this is why bzexe was made for).

This is true, your correct , but then, you dont have to even use a
compression agent.. there is still many other holes not even being
discussed.. that will 100% give you root I guess thts why theyre not being
discussed tho eh ;)

You dont even have to go *this* far to gain root...i mean, using some
compression agent, etc etc, and rely on a bug in the binary of a compression
agent, although i have said that there has been MANY bugs in this softwares
for many years now.. in some earlier post, so i am really wondering why this
one is even gone to seclists about it, where there is no proof it gains root
atall.

just a friendly blackhat tip of the hit to you.
cheers.
xd



On 26 October 2011 05:54, vladz <vladz () devzero fr> wrote:



Hi,

On Tue, Oct 25, 2011 at 12:06:25PM +0200, Tavis Ormandy wrote:

xD 0x41 <secn3t () gmail com> wrote:

    Your 'race condition possibly leading to root'is a myth...
Yes thats maybe because race condition or not, it is ASLR wich will
prevent from ANY rootshell,and Yes, it has bveen tried... You can do
better, go right ahed ;-) I am betting you thats why it aint being

ptached

in any hurry, because obv if you read some notes about it in the

committs,

you will see they must have reproduced the said bugs, in and with, more
than JUST bzexe even... but anyhow, your PoC is bs.


I think you misunderstood, he's not talking about memory corruption, his
attack sounds like a legitimate filesystem race. I'll try to explain, the
bzexe utility compresses executables and then decompresses them at

runtime

by prepending a decompression stub.


Thank you for explaining him, I thought he was not replying to the good
thread.


I think it's quite a nice example, and a nice simple solution. Imagine a
system where crond executes a bzexe utility at regular intervals, Vladz'
attack will eventually succeed.


Even if bzexe is not used that much, I found similar configurations
(compressed binaries launched via crond) on embedded systems (I think
this is why bzexe was made for).

vladz.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: