lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <997ef2c20803312218n65a6321cq215f88e872de41ba@mail.gmail.com>
Date: Tue, 1 Apr 2008 00:18:00 -0500
From: "Nate McFeters" <nate.mcfeters@...il.com>
To: "I)ruid" <druid@...ghq.org>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: CAU-2008-0001 - Slowly Closing Door Race
	Condition

Hahaha, nice find.

On 4/1/08, I)ruid <druid@...ghq.org> wrote:
>
>                      ____      ____     __    __
>                     /    \    /    \   |  |  |  |
>        ----====####/  /\__\##/  /\  \##|  |##|  |####====----
>                   |  |      |  |__|  | |  |  |  |
>                   |  |  ___ |   __   | |  |  |  |
> ------======######\  \/  /#|  |##|  |#|  |##|  |######======------
>                     \____/  |__|  |__|  \______/
>
>                    Computer Academic Underground
>                        http://www.caughq.org
>                          Security Advisory
>
> ===============/========================================================
> Advisory ID:    CAU-2008-0001
> Release Date:   04/01/2008
> Title:          Slowly Closing Door Race Condition
> Application/OS: Physical Structures
> Topic:          Physical structures employing exit doors with locks
>                are vulnerable to a race condition.
> Vendor Status:  Not Notified
> Attributes:     Physical, Race Condition
> Advisory URL:   http://www.caughq.org/advisories/CAU-2008-0001.txt
> Author/Email:   CAU <advisories (at) caughq.org>
> ===============/========================================================
>
> Overview
> ========
>
> Physical structures which employ automatically locking doors to secure
> exit points expose a race condition which may allow unauthorized entry.
>
>
> Impact
> ======
>
> Malicious outsiders may be able to enter a structure via an exit point.
>
> Exit points may additionally provide an exit from a secure area of the
> structure, allowing an outsider entering through the exit point to gain
> direct access to the secure area.
>
>
> Affected Systems
> ================
>
> Physical structures which employ automatically locking doors at exit
> points of the structure.
>
>
> Technical Explanation
> =====================
>
> An exit's lock[1] generally converts a two-way door into a one-way
> door, allowing a person to traverse the door's threshold in one
> direction but not in the other.  These types of locks are used to
> secure exit points of structures so that people may exit via the door
> but not re-enter without disabling the lock through force or
> authentication.
>
> When a person exits the structure through an exit point which is
> secured by such a mechanism, a race condition exists wherein a
> malicious outsider may be able to reach the door and enter through it
> before it closes and locks itself.
>
> Many doors, especially heavier ones, also employ closing mechanisms[2]
> which are designed to cause the door to close slowly so as not to slam
> the door shut and damage the door frame, or damage any human appendage
> which may be in between the door and it's frame.  Such closing
> mechanisms can greatly increase the amount of time that the race
> condition exists.
>
>
> Solution & Recommendations
> ==========================
>
> 1) Always ensure that personnel exiting an exit door wait outside the
>   door until it has completely closed and locked before walking
>   away.
>
> 2) Employ a double door system such as is used in an air-lock where
>   the interior door must be secured prior to the exterior door being
>   allowed to open.
>
>
> Exploitation
> ============
>
> First identify the exit point that you want to exploit.  Stand at a
> safe distance during a high-traffic time and watch for people to use
> the exit point.  Time how long it takes for the door to close and
> lock itself when someone traverses the exit point.
>
> Next, identify a safe hiding place near the exit point, preferably
> in a direction that would be behind a person exiting the door, but
> which is within a distance to the exit point which you could traverse
> in under the door's closing time at a brisk pace or run.
>
> Finally, hide in this location during a lower traffic time and wait
> for someone to utilize the exit point.  After they have exited the
> door and are walking away, run to the door and enter before it has
> closed and locked.  Extra points are awarded for a spectacular dive
> and/or roll to catch the door at the very last second.
>
>
> References
> ==========
>
> [1] http://en.wikipedia.org/wiki/Lock_%28device%29
> [2] http://en.wikipedia.org/wiki/Door_closer
>
>
> Credits & Gr33ts
> ================
>
> Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214
>
>
> --
> I)ruid, CĀ²ISSP
> druid@...ghq.org
> http://druid.caughq.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ