| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Feb 2021 08:56:30 +0000 From: Roman Fiedler <roman.fiedler@...aralleled.eu> To: FD <fulldisclosure@...lists.org> Subject: [FD] Rigged Race Against Firejail for Local Root: Using pipes/ptys to win races Hello List, 100% reliable exploitation of file system time races (TOCTOU vulnerabilities) may be hard as the timing depends on numerous target system parameters (CPU cores, load, memory pressure, file system type, ...). Instead of optimizing the exploit to win the real race, the timing of Firejail stderr and stdout output was analyzed. With the correct parameters known the Firejail process can be frozen exactly in the right moment when attempting to write a message to a filled pipe (blocking write). Thus the exploit has any time in the world to modify the file system before restarting Firejail by emptying the pipe again. The technique proved useful to cut down the time required from vulnerability discovery to creating a working exploit using the recipy given in [1]. [1] https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/ [2] https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/UnjailMyHeart.c [3] https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt Kind regards, Roman Fiedler | | DI Roman Fiedler | / roman.fiedler at unparalleled.eu +43 677 63 29 28 29 / | Unparalleled IT Services e.U. FN: 516074h VAT: ATU75050524 | | https://unparalleled.eu/ Felix-Dahn-Platz 4, 8010 Graz, Austria _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists