lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 27 Oct 2011 10:39:46 -0400 (EDT)
From: bugs@....dhs.org
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Symlink vulnerabilities


Hi,

> Also, i mean a up to date, 2011 kernel here, not sum shitty old

root@...k:/root# uname -a
Linux b0rk 2.6.24-29-generic #1 SMP Wed Aug 10 16:34:32 UTC 2011 i686
GNU/Linux


> crapbox... i dont care for hardware but, if your shopoting from root
> like vlads examples, and, look, I havediscussed this exploit with
> kcope, who also thinks the same thing, and also played alittle with
> it, and, thats about 5 people now i know who have all played with this
> exact speak of fd.
> nwm,, for one thing, you have been biased, in showing only one side
> this spcalled code... as i am asmuch trustworthy as anyone if they
> have to proove a point, i have my own labs, and dont rel on sharing my
> info, and, simply dont have this working on 2011 kernels... yet, i
> have other onesd wrking on it, and, i have a few mods up my sleeve i
> have not tried yet n this, but, it was stopping me befoe i would even
> reach that area, so, im now interested on how this is winnable, and,
> why you trust only one side with code, yet dont simply shown us both.
> thats abit harsh, i find that actually rude but, whatever dude.
> I still think its crap anyhow, so, enjoy your 60% chance s[ploit on,
> whats not going to be a recent 2011 kernel :)
> right.


It's not the value of the exploit that matters to me at all (not going to
find much using bzexe these days with 1tb disks running around) it's the
thrill of the hunt. I wanted to see if it could be done.


> anyhow, now, im agitated, and sleepy.
> you have really shown how whitehats can be true arseholes :)
> anyhow gnite.

I'm not trying to be an ass, just trying to see if exploiting this would
indeed work.  At first I didn't think it was possible but spoke with vladz
offline more about it.  I respect the people on this list very much and
wouldn't intentionally insult anyone.

>
>
> On 28 October 2011 01:20,  <bugs@....dhs.org> wrote:
>> Hi,
>>
>> I've gotten this exploit to work, albeit on a slow 500mhz system with
>> 256mb of ram.  I've shared the details with vladz and will make them
>> available soon.  It's a hard race to win, but it can be won about 60% of
>> the time.
>>
>>> On Fri, 28 Oct 2011 00:56:35 +1100, xD 0x41 said:
>>>
>>>> morning but, i trust you, itcannot be exploited, in any way, it will
>>>> only cause corruption of tar and compression utils, at most.
>>>
>>> Umm. Maybe in *that step* it's "at most". But what can you leverage
>>> that into?
>>>
>>> If you can screw with the code execution of the tar command
>>> enough to get root to untar a file of your choosing, you then have your
>>> entire rootkit installed with no further effort on your part. ;)
>>>
>>> (For a wonderful read on leveraging, find the tech writeup from a few
>>> years
>>> ago on how a 1-byte overlay in ntpd got leveraged into a total root
>>> pwn.)
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ