| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4EA99B93.8020100@tokidev.fr> Date: Thu, 27 Oct 2011 19:57:39 +0200 From: Benjamin Renaut <benml@...idev.fr> To: vladz <vladz@...zero.fr> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Symlink vulnerabilities On 27/10/11 19:34, vladz wrote: > Nice thing, but for sure, it can be optimized. For example, to save > time, I would suggest you to use rename() instead of using both > unlink() and rmdir() functions. Same thing for your write_shellcode() > function, it contains too much calls. It would be preferable to create > your nasty shell script first, and then (when it's time), rename() it > as dirname. Cheers, True ! Several people also suggested using inotify instead of looping over opendir/readdir like crazy. I tried that but strangely enough, it seems to decrease the chances of success (in my test env and with the code as-is, exploitation succeeds in most cases anyway with the dirent version) - I'm wondering if the very fact that there's an horrible while(1) taking up much of the CPU doesn't actually help by slowing down the system. Cheers _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists