Full Disclosure mailing list archives
Re: Symlink attack techniques
From: Valdis.Kletnieks () vt edu
Date: Thu, 15 Dec 2005 22:08:17 -0500
On Thu, 15 Dec 2005 18:14:51 CST, James Longstreet said:
Since it doesn't seem like you can control what gets written to the file, you probably can't directly get root access from there. The output could have some ill effect if written to the correct file... hard to know without knowing what the output is.
Of course, as was already suggested, you can be malicious and destructive and destroy /etc/passwd (or any other file on the system), but I don't see right away how to gain root from that.
The trick here is to find some file where the mere *existence* of the file will alter the behavior of something. Obvious targets include /etc/hosts.equiv on boxes still running the BSD r* commands, or things like /etc/cron.allow. Other possibilities include finding a cron job or frequently run program that will misbehave if it can't open a file with open(..O_EXCL), and so on.... It almost certainly won't get you root by itself, but it may be possible to use it to leverage a second vulnerability that you wouldn't otherwise be able to use....
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Symlink attack techniques Werner Schalk (Dec 14)
- Re: Symlink attack techniques H D Moore (Dec 14)
- Re: Symlink attack techniques Werner Schalk (Dec 15)
- Re: Symlink attack techniques Joachim Schipper (Dec 15)
- Re: Symlink attack techniques James Longstreet (Dec 15)
- Re: Symlink attack techniques Valdis . Kletnieks (Dec 15)
- Re: Symlink attack techniques Tim (Dec 15)
- Re: Symlink attack techniques Werner Schalk (Dec 15)
- Re: Symlink attack techniques H D Moore (Dec 14)