Penetration Testing mailing list archives
Re: Mac symlink attack techniques?
From: Jon Hart <jhart () spoofed org>
Date: Sun, 13 Apr 2008 22:22:15 -0700
On Sat, Apr 12, 2008 at 12:35:49PM -0400, Paul Melson wrote:
You can create /etc/rc.installer_cleanup which typically doesn't usually exist, but if it does is run by init to complete software installs after reboot. If you are able to also force a reboot (or even count on one occurring at a certain time), it's pretty much game over.
Good suggestion. However, /etc/rc.installer_cleanup must be executable because it is called as so from /etc/rc: if [ -f /etc/rc.installer_cleanup ]; then /etc/rc.installer_cleanup multiuser fi In this particular situation, the files are created 666 exlusively, so a symlink attack that writes /etc/rc.installer_cleanup will not be a viable exploit route. At least not directly. What makes this more difficult is that if the target of a symlink already exists, the vulnerable application preserves its permissions so the 666 permissions cannot be exploited. Thanks for your input, -jon ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Mac symlink attack techniques? Jon Hart (Apr 11)
- Re: Mac symlink attack techniques? don bailey (Apr 12)
- Re: Mac symlink attack techniques? Paul Melson (Apr 12)
- Re: Mac symlink attack techniques? Jon Hart (Apr 14)
- Re: Mac symlink attack techniques? Marco Ivaldi (Apr 14)
- Re: Mac symlink attack techniques? Jon Hart (Apr 16)