| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Oct 2010 21:52:54 +0200 From: Tavis Ormandy <taviso@...xchg8b.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: The GNU C library dynamic linker expands $ORIGIN in setuid library search path Hanno Böck <hanno@...eck.de> wrote: > Am Monday 18 October 2010 schrieb Tavis Ormandy: > > # Open a file descriptor to the target binary (note: some users are > > surprised # to learn exec can be used to manipulate the redirections of > > the current # shell if a command is not specified. This is what is > > happening below). $ exec 3< /tmp/exploit/target > > I tried to reproduce this on Gentoo and it fails at this point. It seems > the reason is that suid-binaries are not world-readable on Gentoo (on > Debian they are) - this seems to be a useful security measure. > Hi Hanno, I explained why this is insufficient in the Notes section of my advisory, along with some example code to circumvent this. Tavis. -- ------------------------------------- taviso@...xchg8b.com | pgp encrypted mail preferred ------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists