lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <af75623d95219a82dab770bc09baa2a5.squirrel@fbi.dhs.org>
Date: Tue, 25 Oct 2011 20:42:38 -0400 (EDT)
From: bugs@....dhs.org
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Symlink vulnerabilities


Aw, Even if you loop and copy a binary continuously into that directory
say bash is bzexe'd.

and our exploit does the following

#!/bin/sh
chmod 777 /etc/shadow

You'll get,

kemical:~# bzexe bash
  bash:     2.214:1,  3.614 bits/byte, 54.83% saved, 700492 in, 316442 out.
kemical:~# ./bash
./bash: line 14: /tmp/bash: is a directory
/bin/rm: cannot remove `/tmp/bash': Is a directory

kemical:~# ls -l /etc/shadow
-rw-r----- 1 root shadow 1174 2010-12-07 16:49 /etc/shadow


+ /bin/rm -f /tmp/gztmpYCf11e /tmp/bash
/bin/rm: cannot remove `/tmp/bash': Is a directory



> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Race condition != Memory corruption...
>
> (and therefore ASLR has NOTHING to do with it...)
>
> http://i.imgur.com/l1l3o.gif <= me after reading this.
>
> On 10/25/2011 06:56 PM, xD 0x41 wrote:
>> ln actually succeeds, but created /tmp/foo/foo instead. The attacker
>> still
>> owns /tmp/foo, so he quickly rename()s it and replaces /tmp/foo with his
>> exploit.
>>
>> You can make it bypass Aslr ?
>> This is what im talking about tavis, not the well known ln and other
>> bugs you have pleasured us all with :)
>> THIS one, cannot be won.
>> proove it, it is a shitty poc, i cannot get passed the break when it
>> symlinks across using ln, it triggers something, and shuts whatever
>> down..
>> Your audit and kcopes audit bugs, work alittle differently..
>> This PoC is a *fail* Tavis, you would otherwise have made it into a real
>> poc that actually spawns root , yes even in cron if what your saying is
>> right , no?
>> Im saying, Kernel will shut your PoC down, your saying it wont.
>> Proove me wrong , coz sofar, many have tried and many have failed.
>> it does not even need be disclosed, i dont mind.
>> i would be happy thelp fix a bug within the kernel but, we both know
>> this is not within kernel land,it is a bug in another area,
>> It still must bypass atleast ASLR on vanilla to be called a real poc,and
>> be treated as such by the secteam of Ubuntu and debian, of wich, they
>> dont seem to be in any hurry atall about this one, where, your ones, and
>> kcopes, they were VERY prompt to jump on.
>> i believe many have recreated it, but simply cannnot get it to spawn a
>> stable enough root shell.
>> Your the brains in bash, i wont deny you this, but i do not se this one
>> working Tavis :s
>> Please, by all means, proove it and Vladz name is clear. Otherwise to me
>> is just another exposed failed poc wich is screaming for ubuntu devteam
>> to give a crap :s.
>> My outlook is bleak, yes, but i was part of one of such teams years ago,
>> altho, i wont go into that now, it is not even part of this OS, so, I do
>> know how secteams somewhat work, they prioritise things.
>> if a bug is being used like crazy to exploit, they will simply implant
>> some new binarys, along with theyre kernel..and possibly update bzexe
>> and bunzip etc, all of wich have had many flaws, i just dont think a
>> race condition can be won in this case.
>> Thats from actual hard code exploits not running because of aslr, on the
>> simplest of setups even.
>> Its already out, this infos, so, if you think it also leads to root,
>> then i would expect YOU of all people to be alot more proactive about
>> it.
>> Your not though.
>> I appreciate the time you have taken but, i believe you wont win this
>> race :).
>> Have a nice day.
>> xd
>>
>>
>> On 25 October 2011 21:06, Tavis Ormandy <taviso@...xchg8b.com
>> <mailto:taviso@...xchg8b.com>> wrote:
>>
>>     xD 0x41 <secn3t@...il.com <mailto:secn3t@...il.com>> wrote:
>>
>>     > Hello,
>>     >     Your 'race condition possibly leading to root'is a myth...
>>     > Yes thats maybe because race condition or not, it is ASLR wich
>> will
>>     > prevent from ANY rootshell,and Yes, it has bveen tried... You can
>> do
>>     > better, go right ahed ;-) I am betting you thats why it aint being
>>     ptached
>>     > in any hurry, because obv if you read some notes about it in the
>>     committs,
>>     > you will see they must have reproduced the said bugs, in and with,
>>     more
>>     > than JUST bzexe even... but anyhow, your PoC is bs.
>>
>>     I think you misunderstood, he's not talking about memory corruption,
>> his
>>     attack sounds like a legitimate filesystem race. I'll try to
>>     explain, the
>>     bzexe utility compresses executables and then decompresses them at
>>     runtime
>>     by prepending a decompression stub.
>>
>>     His attack is against the stub, which is a bourne shell script. It
>>     basically
>>     does this:
>>
>>        1. Safely decompress the original executable inside /tmp using
>>     tempfile.
>>        2. Create a hardlink to the decompressed executable with the same
>>     name
>>     of the original input (this is a trick to maintain argv[0], which is
>>     not as
>>     easy in bourne as it is in modern shells).
>>        3. Execute the hardlink with the requested parameters.
>>
>>     His attack is against stage 2, he points out that although it is
>>     safe to use
>>     the link() system call in /tmp, the ln(1) utility does some
>> convenience
>>     processing if you pass it a directory name.
>>
>>     So, the attack scenario would be that root executed a bzexe
>> compressed
>>     executable called foo, and then he creates the directory /tmp/foo,
>>     and makes
>>     it 777.
>>
>>     ln actually succeeds, but created /tmp/foo/foo instead. The attacker
>>     still
>>     owns /tmp/foo, so he quickly rename()s it and replaces /tmp/foo with
>> his
>>     exploit.
>>
>>     Now root executes it, and gives him a root shell.
>>
>>     Vladz suggests using -F, which will solve this problem by telling ln
>>     to use
>>     the directory name instead. This will work nicely.
>>
>>     > Make it then ill
>>     > believe it, ask others, you wont beat aslr on even vanilla,. So,
>> stop
>>     > complaining you did not get into patch- halll of flame.. it was
>>     not really
>>     > going to be ever exploited, or you would surely not be the one
>> posting
>>     > this ;) Anyhow, nice try but no banana. xd
>>
>>     I think it's quite a nice example, and a nice simple solution.
>> Imagine a
>>     system where crond executes a bzexe utility at regular intervals,
>> Vladz'
>>     attack will eventually succeed.
>>
>>     Tavis.
>>
>>     >
>>     >
>>     > On 24 October 2011 05:55, vladz <vladz@...zero.fr
>>     <mailto:vladz@...zero.fr>> wrote:
>>     >
>>     > > On Fri, Oct 21, 2011 at 07:59:59PM -0400, bugs@....dhs.org
>>     <mailto:bugs@....dhs.org> wrote:
>>     > > > bzexe utility:
>>     > > >
>>     > > > /bin/bzexe:tmp=gz$$ /bin/bzexe:rm -f zfoo[12]$$
>>     > >
>>     > > I reported this one several months ago (in some conditions it
>>     could lead
>>     > > to a root exploit) and provided an easy solution, but no
>> updates:
>>     > >
>>     > >  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632862
>>     > >
>>     > > -- http://vladz.devzero.fr PGP key 8F7E2D3C from pgp.mit.edu
>>     <http://pgp.mit.edu>
>>     > >
>>     > > _______________________________________________ Full-Disclosure
>> - We
>>     > > believe in it. Charter:
>>     > > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
>>     > > sponsored by Secunia - http://secunia.com/
>>     > >
>>     >
>>     >
>>
>>
>>     --
>>     -------------------------------------
>>     taviso@...xchg8b.com <mailto:taviso@...xchg8b.com> | pgp encrypted
>>     mail preferred
>>     -------------------------------------------------------
>>
>>     _______________________________________________
>>     Full-Disclosure - We believe in it.
>>     Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>     Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iF4EAREIAAYFAk6nSXkACgkQt/95fIeU+XYT2wD8CnpWw+xUx3eGSnxCWv7LVk1a
> kZgZJGQH1OdZR9uV4K8A/1BsiZ+gaDjE4Wz5L+BT56AU9XKvb4txjxVTMA8+GTna
> =AD/5
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ