Full Disclosure mailing list archives
Re: Symlink vulnerabilities
From: Valdis.Kletnieks () vt edu
Date: Thu, 27 Oct 2011 13:51:19 -0400
On Thu, 27 Oct 2011 10:31:12 PDT, Andrew Farmer said:
And systems like inotify make filesystem races trivial to win. I wouldn't be surprised if you could win this particular race reliably by watching for the files bzexe drops and acting immediately when they show up.
Good point. That actually has multiple benefits - first off, you don't have a 'while (1)' loop in your code that's easily spotted on a 'ps' or 'top'. So you can afford to set the inotify and wait (potentially days, if needed) with less chance of detection. And then when the inotify pops and tells you your file is ready to be exploited, the circumstances of returning from the blocked syscall will tend to give your process a scheduling boost, improving your chances of winning the race because you'll schedule soon. It's amazing how many optimizations people are coming up for a vulnerability that some were saying is impossible to exploit. ;)
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Symlink vulnerabilities, (continued)
- Re: Symlink vulnerabilities xD 0x41 (Oct 27)
- Re: Symlink vulnerabilities Jeffrey Walton (Oct 27)
- Re: Symlink vulnerabilities xD 0x41 (Oct 27)
- Re: Symlink vulnerabilities Valdis . Kletnieks (Oct 27)
- Re: Symlink vulnerabilities bugs (Oct 27)
- Re: Symlink vulnerabilities xD 0x41 (Oct 27)
- Message not available
- Re: Symlink vulnerabilities bugs (Oct 27)
- Re: Symlink vulnerabilities Valdis . Kletnieks (Oct 27)
- Re: Symlink vulnerabilities Valdis . Kletnieks (Oct 27)
- Re: Symlink vulnerabilities Andrew Farmer (Oct 27)
- Re: Symlink vulnerabilities Valdis . Kletnieks (Oct 27)
- Re: Symlink vulnerabilities GloW - XD (Oct 27)
- Re: Symlink vulnerabilities halfdog (Oct 27)
- Re: Symlink vulnerabilities xD 0x41 (Oct 27)
- Re: Symlink vulnerabilities Benjamin Renaut (Oct 27)
- Re: Symlink vulnerabilities Benjamin Renaut (Oct 27)
- Re: Symlink vulnerabilities bugs (Oct 27)
- Re: Symlink vulnerabilities Benjamin Renaut (Oct 27)
- Re: Symlink vulnerabilities bugs (Oct 27)
- Re: Symlink vulnerabilities vladz (Oct 27)
- Re: Symlink vulnerabilities Benjamin Renaut (Oct 27)