lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <25698.1319737879@turing-police.cc.vt.edu>
Date: Thu, 27 Oct 2011 13:51:19 -0400
From: Valdis.Kletnieks@...edu
To: Andrew Farmer <andfarm@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Symlink vulnerabilities

On Thu, 27 Oct 2011 10:31:12 PDT, Andrew Farmer said:
> And systems like inotify make filesystem races trivial to win. I
> wouldn't be surprised if you could win this particular race reliably by
> watching for the files bzexe drops and acting immediately when they show
> up.

Good point.  That actually has multiple benefits - first off, you don't have a
'while (1)' loop in your code that's easily spotted on a 'ps' or 'top'.  So you
can afford to set the inotify and wait (potentially days, if needed) with less
chance of detection.  And then when the inotify pops and tells you your file is
ready to be exploited, the circumstances of returning from the blocked syscall
will tend to give your process a scheduling boost, improving your chances of
winning the race because you'll schedule soon.

It's amazing how many optimizations people are coming up for a vulnerability
that some were saying is impossible to exploit. ;)


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ