| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Apr 2008 08:58:13 -0500
From: evilrabbi <evilrabbi@...il.com>
To: "Nate McFeters" <nate.mcfeters@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: CAU-2008-0001 - Slowly Closing Door Race
Condition
Why would you realease something like this without telling the vendor? What
you did is irresponsible.
On Tue, Apr 1, 2008 at 12:18 AM, Nate McFeters <nate.mcfeters@...il.com>
wrote:
> Hahaha, nice find.
>
> On 4/1/08, I)ruid <druid@...ghq.org> wrote:
> >
> > ____ ____ __ __
> > / \ / \ | | | |
> > ----====####/ /\__\##/ /\ \##| |##| |####====----
> > | | | |__| | | | | |
> > | | ___ | __ | | | | |
> > ------======######\ \/ /#| |##| |#| |##| |######======------
> > \____/ |__| |__| \______/
> >
> >
> > Computer Academic Underground
> > http://www.caughq.org
> > Security Advisory
> >
> > ===============/========================================================
> > Advisory ID: CAU-2008-0001
> > Release Date: 04/01/2008
> > Title: Slowly Closing Door Race Condition
> > Application/OS: Physical Structures
> > Topic: Physical structures employing exit doors with locks
> > are vulnerable to a race condition.
> > Vendor Status: Not Notified
> > Attributes: Physical, Race Condition
> > Advisory URL: http://www.caughq.org/advisories/CAU-2008-0001.txt
> > Author/Email: CAU <advisories (at) caughq.org>
> > ===============/========================================================
> >
> > Overview
> > ========
> >
> > Physical structures which employ automatically locking doors to secure
> > exit points expose a race condition which may allow unauthorized entry.
> >
> >
> > Impact
> > ======
> >
> > Malicious outsiders may be able to enter a structure via an exit point.
> >
> > Exit points may additionally provide an exit from a secure area of the
> > structure, allowing an outsider entering through the exit point to gain
> > direct access to the secure area.
> >
> >
> > Affected Systems
> > ================
> >
> > Physical structures which employ automatically locking doors at exit
> > points of the structure.
> >
> >
> > Technical Explanation
> > =====================
> >
> > An exit's lock[1] generally converts a two-way door into a one-way
> > door, allowing a person to traverse the door's threshold in one
> > direction but not in the other. These types of locks are used to
> > secure exit points of structures so that people may exit via the door
> > but not re-enter without disabling the lock through force or
> > authentication.
> >
> > When a person exits the structure through an exit point which is
> > secured by such a mechanism, a race condition exists wherein a
> > malicious outsider may be able to reach the door and enter through it
> > before it closes and locks itself.
> >
> > Many doors, especially heavier ones, also employ closing mechanisms[2]
> > which are designed to cause the door to close slowly so as not to slam
> > the door shut and damage the door frame, or damage any human appendage
> > which may be in between the door and it's frame. Such closing
> > mechanisms can greatly increase the amount of time that the race
> > condition exists.
> >
> >
> > Solution & Recommendations
> > ==========================
> >
> > 1) Always ensure that personnel exiting an exit door wait outside the
> > door until it has completely closed and locked before walking
> > away.
> >
> > 2) Employ a double door system such as is used in an air-lock where
> > the interior door must be secured prior to the exterior door being
> > allowed to open.
> >
> >
> > Exploitation
> > ============
> >
> > First identify the exit point that you want to exploit. Stand at a
> > safe distance during a high-traffic time and watch for people to use
> > the exit point. Time how long it takes for the door to close and
> > lock itself when someone traverses the exit point.
> >
> > Next, identify a safe hiding place near the exit point, preferably
> > in a direction that would be behind a person exiting the door, but
> > which is within a distance to the exit point which you could traverse
> > in under the door's closing time at a brisk pace or run.
> >
> > Finally, hide in this location during a lower traffic time and wait
> > for someone to utilize the exit point. After they have exited the
> > door and are walking away, run to the door and enter before it has
> > closed and locked. Extra points are awarded for a spectacular dive
> > and/or roll to catch the door at the very last second.
> >
> >
> > References
> > ==========
> >
> > [1] http://en.wikipedia.org/wiki/Lock_%28device%29
> > [2] http://en.wikipedia.org/wiki/Door_closer
> >
> >
> > Credits & Gr33ts
> > ================
> >
> > Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214
> >
> >
> > --
> > I)ruid, CĀ²ISSP
> > druid@...ghq.org
> > http://druid.caughq.org
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
-- h0 h0 h0 --
www.nopsled.net
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists