| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <002901c89406$e3c5e110$336b880a@softpro.corp>
Date: Tue, 1 Apr 2008 10:44:27 -0400
From: "Garrett M. Groff" <groffg@...design.com>
To: "evilrabbi" <evilrabbi@...il.com>,
"Nate McFeters" <nate.mcfeters@...il.com>, <bugtraq@...urityfocus.com>,
<full-disclosure@...ts.grok.org.uk>
Subject: Re: CAU-2008-0001 - Slowly Closing Door
RaceCondition
Although, in all seriousness, I can imagine "physical world" things being compromised, possibly via software attacks alone (or, equally likely, a single disgruntled employee). Allow me to explain using a particular example: safes.
Companies that make safes (be they old-fashioned mechanical or electronic) often have records of their combinations corresponding to a unique serial number for each safe. Yes, they have an electronic database of all the combinations for all their safes. In the case of electronic safes, this combination is often un-changeable; the user of the safe can use that factory default code initially to create a "user combination" that can open the safe, but can later be changed (if you wish to disallow that user access later on). Anyway, the factory default combination can't be changed and is in a database somewhere. This presents a convenience on the part of the business that produces the safes (avoids angry customers who are locked out of their safes) but reduces security for all users of that company's products.
I understand the business case for keeping records of all combinations for all safes, but the downside is security in the event that that list/database is ever leaked.
- G
----- Original Message -----
From: evilrabbi
To: Nate McFeters
Cc: full-disclosure@...ts.grok.org.uk ; bugtraq@...urityfocus.com
Sent: Tuesday, April 01, 2008 9:58 AM
Subject: Re: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door RaceCondition
Why would you realease something like this without telling the vendor? What you did is irresponsible.
On Tue, Apr 1, 2008 at 12:18 AM, Nate McFeters <nate.mcfeters@...il.com> wrote:
Hahaha, nice find.
On 4/1/08, I)ruid <druid@...ghq.org> wrote:
____ ____ __ __
/ \ / \ | | | |
----====####/ /\__\##/ /\ \##| |##| |####====----
| | | |__| | | | | |
| | ___ | __ | | | | |
------======######\ \/ /#| |##| |#| |##| |######======------
\____/ |__| |__| \______/
Computer Academic Underground
http://www.caughq.org
Security Advisory
===============/========================================================
Advisory ID: CAU-2008-0001
Release Date: 04/01/2008
Title: Slowly Closing Door Race Condition
Application/OS: Physical Structures
Topic: Physical structures employing exit doors with locks
are vulnerable to a race condition.
Vendor Status: Not Notified
Attributes: Physical, Race Condition
Advisory URL: http://www.caughq.org/advisories/CAU-2008-0001.txt
Author/Email: CAU <advisories (at) caughq.org>
===============/========================================================
Overview
========
Physical structures which employ automatically locking doors to secure
exit points expose a race condition which may allow unauthorized entry.
Impact
======
Malicious outsiders may be able to enter a structure via an exit point.
Exit points may additionally provide an exit from a secure area of the
structure, allowing an outsider entering through the exit point to gain
direct access to the secure area.
Affected Systems
================
Physical structures which employ automatically locking doors at exit
points of the structure.
Technical Explanation
=====================
An exit's lock[1] generally converts a two-way door into a one-way
door, allowing a person to traverse the door's threshold in one
direction but not in the other. These types of locks are used to
secure exit points of structures so that people may exit via the door
but not re-enter without disabling the lock through force or
authentication.
When a person exits the structure through an exit point which is
secured by such a mechanism, a race condition exists wherein a
malicious outsider may be able to reach the door and enter through it
before it closes and locks itself.
Many doors, especially heavier ones, also employ closing mechanisms[2]
which are designed to cause the door to close slowly so as not to slam
the door shut and damage the door frame, or damage any human appendage
which may be in between the door and it's frame. Such closing
mechanisms can greatly increase the amount of time that the race
condition exists.
Solution & Recommendations
==========================
1) Always ensure that personnel exiting an exit door wait outside the
door until it has completely closed and locked before walking
away.
2) Employ a double door system such as is used in an air-lock where
the interior door must be secured prior to the exterior door being
allowed to open.
Exploitation
============
First identify the exit point that you want to exploit. Stand at a
safe distance during a high-traffic time and watch for people to use
the exit point. Time how long it takes for the door to close and
lock itself when someone traverses the exit point.
Next, identify a safe hiding place near the exit point, preferably
in a direction that would be behind a person exiting the door, but
which is within a distance to the exit point which you could traverse
in under the door's closing time at a brisk pace or run.
Finally, hide in this location during a lower traffic time and wait
for someone to utilize the exit point. After they have exited the
door and are walking away, run to the door and enter before it has
closed and locked. Extra points are awarded for a spectacular dive
and/or roll to catch the door at the very last second.
References
==========
[1] http://en.wikipedia.org/wiki/Lock_%28device%29
[2] http://en.wikipedia.org/wiki/Door_closer
Credits & Gr33ts
================
Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214
--
I)ruid, CĀ²ISSP
druid@...ghq.org
http://druid.caughq.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
-- h0 h0 h0 --
www.nopsled.net
------------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists