lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2610-1613638590.576724@tktx.M3An.hTF4>
Date: Thu, 18 Feb 2021 08:56:30 +0000
From: Roman Fiedler <roman.fiedler@...aralleled.eu>
To: FD <fulldisclosure@...lists.org>
Subject: [FD] Rigged Race Against Firejail for Local Root: Using pipes/ptys
	to win races

Hello List,

100% reliable exploitation of file system time races (TOCTOU
vulnerabilities) may be hard as the timing depends on numerous
target system parameters (CPU cores, load, memory pressure, file
system type, ...). Instead of optimizing the exploit to win the
real race, the timing of Firejail stderr and stdout output was
analyzed. With the correct parameters known the Firejail process
can be frozen exactly in the right moment when attempting to
write a message to a filled pipe (blocking write). Thus the exploit
has any time in the world to modify the file system before restarting
Firejail by emptying the pipe again.

The technique proved useful to cut down the time required from
vulnerability discovery to creating a working exploit using the
recipy given in [1].

[1] https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/
[2] https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/UnjailMyHeart.c
[3] https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt

Kind regards,
Roman Fiedler

| |  DI Roman Fiedler
| /  roman.fiedler at unparalleled.eu  +43 677 63 29 28 29
/ |  Unparalleled IT Services e.U.     FN: 516074h           VAT: ATU75050524
| |  https://unparalleled.eu/          Felix-Dahn-Platz 4, 8010 Graz, Austria


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ