Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-disclosure] Symlink attack techniques
Date: Thu Dec 15 2005 - 21:08:17 CST
On Thu, 15 Dec 2005 18:14:51 CST, James Longstreet said:
> Since it doesn't seem like you can control what gets written to the
> file, you probably can't directly get root access from there. The
> output could have some ill effect if written to the correct file...
> hard to know without knowing what the output is.
> Of course, as was already suggested, you can be malicious and
> destructive and destroy /etc/passwd (or any other file on the
> system), but I don't see right away how to gain root from that.
The trick here is to find some file where the mere *existence* of the
file will alter the behavior of something. Obvious targets include
/etc/hosts.equiv on boxes still running the BSD r* commands, or things
like /etc/cron.allow. Other possibilities include finding a cron job
or frequently run program that will misbehave if it can't open a file
with open(..O_EXCL), and so on....
It almost certainly won't get you root by itself, but it may be possible
to use it to leverage a second vulnerability that you wouldn't otherwise be
able to use....
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/