Full Disclosure mailing list archives
Re: Symlink vulnerabilities
From: xD 0x41 <secn3t () gmail com>
Date: Wed, 26 Oct 2011 10:46:19 +1100
Even if bzexe is not used that much, I found similar configurations (compressed binaries launched via crond) on embedded systems (I think this is why bzexe was made for). This is true, your correct , but then, you dont have to even use a compression agent.. there is still many other holes not even being discussed.. that will 100% give you root I guess thts why theyre not being discussed tho eh ;) You dont even have to go *this* far to gain root...i mean, using some compression agent, etc etc, and rely on a bug in the binary of a compression agent, although i have said that there has been MANY bugs in this softwares for many years now.. in some earlier post, so i am really wondering why this one is even gone to seclists about it, where there is no proof it gains root atall. just a friendly blackhat tip of the hit to you. cheers. xd On 26 October 2011 05:54, vladz <vladz () devzero fr> wrote:
Hi, On Tue, Oct 25, 2011 at 12:06:25PM +0200, Tavis Ormandy wrote:xD 0x41 <secn3t () gmail com> wrote:Your 'race condition possibly leading to root'is a myth... Yes thats maybe because race condition or not, it is ASLR wich will prevent from ANY rootshell,and Yes, it has bveen tried... You can do better, go right ahed ;-) I am betting you thats why it aint beingptachedin any hurry, because obv if you read some notes about it in thecommitts,you will see they must have reproduced the said bugs, in and with, more than JUST bzexe even... but anyhow, your PoC is bs.I think you misunderstood, he's not talking about memory corruption, his attack sounds like a legitimate filesystem race. I'll try to explain, the bzexe utility compresses executables and then decompresses them atruntimeby prepending a decompression stub.Thank you for explaining him, I thought he was not replying to the good thread.I think it's quite a nice example, and a nice simple solution. Imagine a system where crond executes a bzexe utility at regular intervals, Vladz' attack will eventually succeed.Even if bzexe is not used that much, I found similar configurations (compressed binaries launched via crond) on embedded systems (I think this is why bzexe was made for). vladz. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Symlink vulnerabilities, (continued)
- Re: Symlink vulnerabilities Benjamin Renaut (Oct 27)
- Re: Symlink vulnerabilities Benjamin Renaut (Oct 27)
- Re: Symlink vulnerabilities bugs (Oct 27)
- Re: Symlink vulnerabilities Benjamin Renaut (Oct 27)
- Re: Symlink vulnerabilities bugs (Oct 27)
- Re: Symlink vulnerabilities vladz (Oct 27)
- Re: Symlink vulnerabilities Benjamin Renaut (Oct 27)
- Re: Symlink vulnerabilities xD 0x41 (Oct 27)
- Re: Symlink vulnerabilities xD 0x41 (Oct 25)
- Re: Symlink vulnerabilities vladz (Oct 25)
- Re: Symlink vulnerabilities xD 0x41 (Oct 25)