[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <25698.1319737879@turing-police.cc.vt.edu>
Date: Thu, 27 Oct 2011 13:51:19 -0400
From: Valdis.Kletnieks@...edu
To: Andrew Farmer <andfarm@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Symlink vulnerabilities
On Thu, 27 Oct 2011 10:31:12 PDT, Andrew Farmer said:
> And systems like inotify make filesystem races trivial to win. I
> wouldn't be surprised if you could win this particular race reliably by
> watching for the files bzexe drops and acting immediately when they show
> up.
Good point. That actually has multiple benefits - first off, you don't have a
'while (1)' loop in your code that's easily spotted on a 'ps' or 'top'. So you
can afford to set the inotify and wait (potentially days, if needed) with less
chance of detection. And then when the inotify pops and tells you your file is
ready to be exploited, the circumstances of returning from the blocked syscall
will tend to give your process a scheduling boost, improving your chances of
winning the race because you'll schedule soon.
It's amazing how many optimizations people are coming up for a vulnerability
that some were saying is impossible to exploit. ;)
Content of type "application/pgp-signature" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists