| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 01 Apr 2008 08:49:03 -0700
From: David Weston <DAVID.G.WESTON@...c.com>
To: Nate McFeters <nate.mcfeters@...il.com>,
"I)ruid" <druid@...ghq.org>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: CAU-2008-0001 - Slowly Closing Door Race
Condition
I saw Nate do a 0day sploit on this at the Hard Rock Amsterdam!
On 3/31/08 10:18 PM, "Nate McFeters" <nate.mcfeters@...il.com> wrote:
> Hahaha, nice find.
>
> On 4/1/08, I)ruid <druid@...ghq.org> wrote:
>> ____ ____ __ __
>> / \ / \ | | | |
>> ----====####/ /\__\##/ /\ \##| |##| |####====----
>> | | | |__| | | | | |
>> | | ___ | __ | | | | |
>> ------======######\ \/ /#| |##| |#| |##| |######======------
>> \____/ |__| |__| \______/
>>
>> Computer Academic Underground
>> http://www.caughq.org
>> Security Advisory
>>
>> ===============/========================================================
>> Advisory ID: CAU-2008-0001
>> Release Date: 04/01/2008
>> Title: Slowly Closing Door Race Condition
>> Application/OS: Physical Structures
>> Topic: Physical structures employing exit doors with locks
>> are vulnerable to a race condition.
>> Vendor Status: Not Notified
>> Attributes: Physical, Race Condition
>> Advisory URL: http://www.caughq.org/advisories/CAU-2008-0001.txt
>> Author/Email: CAU <advisories (at) caughq.org <http://caughq.org> >
>> ===============/========================================================
>>
>> Overview
>> ========
>>
>> Physical structures which employ automatically locking doors to secure
>> exit points expose a race condition which may allow unauthorized entry.
>>
>>
>> Impact
>> ======
>>
>> Malicious outsiders may be able to enter a structure via an exit point.
>>
>> Exit points may additionally provide an exit from a secure area of the
>> structure, allowing an outsider entering through the exit point to gain
>> direct access to the secure area.
>>
>>
>> Affected Systems
>> ================
>>
>> Physical structures which employ automatically locking doors at exit
>> points of the structure.
>>
>>
>> Technical Explanation
>> =====================
>>
>> An exit's lock[1] generally converts a two-way door into a one-way
>> door, allowing a person to traverse the door's threshold in one
>> direction but not in the other. These types of locks are used to
>> secure exit points of structures so that people may exit via the door
>> but not re-enter without disabling the lock through force or
>> authentication.
>>
>> When a person exits the structure through an exit point which is
>> secured by such a mechanism, a race condition exists wherein a
>> malicious outsider may be able to reach the door and enter through it
>> before it closes and locks itself.
>>
>> Many doors, especially heavier ones, also employ closing mechanisms[2]
>> which are designed to cause the door to close slowly so as not to slam
>> the door shut and damage the door frame, or damage any human appendage
>> which may be in between the door and it's frame. Such closing
>> mechanisms can greatly increase the amount of time that the race
>> condition exists.
>>
>>
>> Solution & Recommendations
>> ==========================
>>
>> 1) Always ensure that personnel exiting an exit door wait outside the
>> door until it has completely closed and locked before walking
>> away.
>>
>> 2) Employ a double door system such as is used in an air-lock where
>> the interior door must be secured prior to the exterior door being
>> allowed to open.
>>
>>
>> Exploitation
>> ============
>>
>> First identify the exit point that you want to exploit. Stand at a
>> safe distance during a high-traffic time and watch for people to use
>> the exit point. Time how long it takes for the door to close and
>> lock itself when someone traverses the exit point.
>>
>> Next, identify a safe hiding place near the exit point, preferably
>> in a direction that would be behind a person exiting the door, but
>> which is within a distance to the exit point which you could traverse
>> in under the door's closing time at a brisk pace or run.
>>
>> Finally, hide in this location during a lower traffic time and wait
>> for someone to utilize the exit point. After they have exited the
>> door and are walking away, run to the door and enter before it has
>> closed and locked. Extra points are awarded for a spectacular dive
>> and/or roll to catch the door at the very last second.
>>
>>
>> References
>> ==========
>>
>> [1] http://en.wikipedia.org/wiki/Lock_%28device%29
>> [2] http://en.wikipedia.org/wiki/Door_closer
>>
>>
>> Credits & Gr33ts
>> ================
>>
>> Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214
>>
>>
>> --
>> I)ruid, CĀ²ISSP
>> druid@...ghq.org
>> http://druid.caughq.org
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> Thanks,
>> David Weston
>> Security Engineer
>> Science Application International Corporation
>> Web: http://www.saic.com/infosec
>> Email:DAVID.G.WESTON@...c.com
>> Office:858-826-5435
>> Cell: 310-866-9713
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists