Full Disclosure mailing list archives
Rigged Race Against Firejail for Local Root: Using pipes/ptys to win races
From: Roman Fiedler <roman.fiedler () unparalleled eu>
Date: Thu, 18 Feb 2021 08:56:30 +0000
Hello List, 100% reliable exploitation of file system time races (TOCTOU vulnerabilities) may be hard as the timing depends on numerous target system parameters (CPU cores, load, memory pressure, file system type, ...). Instead of optimizing the exploit to win the real race, the timing of Firejail stderr and stdout output was analyzed. With the correct parameters known the Firejail process can be frozen exactly in the right moment when attempting to write a message to a filled pipe (blocking write). Thus the exploit has any time in the world to modify the file system before restarting Firejail by emptying the pipe again. The technique proved useful to cut down the time required from vulnerability discovery to creating a working exploit using the recipy given in [1]. [1] https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/ [2] https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/UnjailMyHeart.c [3] https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt Kind regards, Roman Fiedler | | DI Roman Fiedler | / roman.fiedler at unparalleled.eu +43 677 63 29 28 29 / | Unparalleled IT Services e.U. FN: 516074h VAT: ATU75050524 | | https://unparalleled.eu/ Felix-Dahn-Platz 4, 8010 Graz, Austria _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Rigged Race Against Firejail for Local Root: Using pipes/ptys to win races Roman Fiedler (Feb 18)