Re: Symlink attack techniques

[Valdis.Kletnieks () vt edu]

On Thu, 15 Dec 2005 18:14:51 CST, James Longstreet said:

> Since it doesn't seem like you can control what gets written to the  
> file, you probably can't directly get root access from there.  The  
> output could have some ill effect if written to the correct file...  
> hard to know without knowing what the output is.

> Of course, as was already suggested, you can be malicious and  
> destructive and destroy /etc/passwd (or any other file on the  
> system), but I don't see right away how to gain root from that.

The trick here is to find some file where the mere *existence* of the
file will alter the behavior of something.  Obvious targets include
/etc/hosts.equiv on boxes still running the BSD r* commands, or things
like /etc/cron.allow.  Other possibilities include finding a cron job
or frequently run program that will misbehave if it can't open a file
with open(..O_EXCL), and so on....

It almost certainly won't get you root by itself, but it may be possible
to use it to leverage a second vulnerability that you wouldn't otherwise be
able to use....

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/