lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 26 Oct 2011 10:33:42 +1100
From: xD 0x41 <secn3t@...il.com>
To: Michal Zalewski <lcamtuf@...edump.cx>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Symlink vulnerabilities

Hi Michael,
    I will try to lever it past , using some extra code, but it will still
bump into aslr I think.
When i see you commenting on it and backing iwhat i have said, It makes me
think that, i am pobably right on this one.
Anyhow, i will leave it here , I think i have said what needs to be, that
is, it is not a kernel object that is simply 8won* with any race condition,
any binary... and b. there is much better protection against this stuff,
than there ever has been, in even lower level Vanilla boxes (ie; ubuntu is a
major target for this stuff...).
if Tavis can make it work, then, i dont see how i can beat that, he is far
superior to me in this area, and i bow to him.
Although, i believe him and vlad are both incorrect, and, the Ubuntu and
Debvian secteams have been RIGHT in leaving it low priority,and this is
simply because i have always read theyre gits and watched the pulls etc,
theyre not talking much about it, they have spoken of it and recreated it
obviously from theyre own talks, but, they must also have bumped into this
same problem..
i know there is ways around it, but NOT using this binary....not this
method.
I mean nobody any disrespect, I just wanted to be sure, we are prioritising
even what is posted to the list for example, and even such a small area, it
is very important to discuss, and hat olor dont matter, this affects all
boxes, even the black ones...as i see things.
I will try better but, sofar, no banan with this binary, only flaws from it
being blocked everytime...and no hope with using cron sofar to make it alth
i dare not even try since it could not bypass to gain root, i kinda stopped
code productin there, wich is all but of abbout 10linjes anyhow.. i think
many people could easily repriuce the said PoC, but, i guess it would take
alot more than just some symlink trick to push this one any further.
Cheers,
xd


On 26 October 2011 10:04, Michal Zalewski <lcamtuf@...edump.cx> wrote:

> > You can make it bypass Aslr ?
>
> No, you are absolutely correct, this vulnerability can't be used to
> bypass ASLR. Score one for address space randomization.
>
> /mz
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ