lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <201106292153.50685.timb@nth-dimension.org.uk>
Date: Wed, 29 Jun 2011 21:53:49 +0100
From: Tim Brown <timb@...-dimension.org.uk>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Breaking the links: Exploiting the linker

I've recently been working on a paper on Linux and POSIX linkers, the most 
recent release of which can be found at:

* http://www.nth-dimension.org.uk/downloads.php?id=77

I'm particularly interested in feedback on references or threats that I may 
have missed.  As per the abstract, the aim of the paper wasn't to claim 
everything as my own but rather to document as much as possible about common 
flaws and how to identify them.

Whilst working on the paper I came across a number of interesting bugs (some 
exploitable, others sadly not).  The paper itself touches on the circumstances 
around CVE-2011-1126 but two other bugs also mentioned in the paper (one of 
which I released the advisory NDSA20110310 for) are potentially more useful so 
I've written PoC to exploit them:

1)  http://www.nth-dimension.org.uk/downloads.php?id=83 - Privesc attack using 
DB2 from normal user to root, the PoC is for Linux but based on testing the 
AIX version looks iffy too although I couldn't get gcc to generate a valid 
library to exploit it.
2) http://www.nth-dimension.org.uk/downloads.php?id=80 - Generic attack on the 
QNX runtime linker which abuses an arbitrary file overwrite and race condition 
to get root.

The paper is still a work in progress but both DB2 and QNX are available for 
download if you want to take them for a spin.  Anyway, enjoy!

Tim
-- 
Tim Brown
<mailto:timb@...-dimension.org.uk>
<http://www.nth-dimension.org.uk/>

Download attachment "signature.asc " of type "application/pgp-signature" (837 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ