|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-disclosure] Symlink attack techniques
Valdis.Kletnieks
vt.edu
Date: Thu Dec 15 2005 - 21:08:17 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, 15 Dec 2005 18:14:51 CST, James Longstreet said:
> Since it doesn't seem like you can control what gets written to the
> file, you probably can't directly get root access from there. The
> output could have some ill effect if written to the correct file...
> hard to know without knowing what the output is.
> Of course, as was already suggested, you can be malicious and
> destructive and destroy /etc/passwd (or any other file on the
> system), but I don't see right away how to gain root from that.
The trick here is to find some file where the mere *existence* of the
file will alter the behavior of something. Obvious targets include
/etc/hosts.equiv on boxes still running the BSD r* commands, or things
like /etc/cron.allow. Other possibilities include finding a cron job
or frequently run program that will misbehave if it can't open a file
with open(..O_EXCL), and so on....
It almost certainly won't get you root by itself, but it may be possible
to use it to leverage a second vulnerability that you wouldn't otherwise be
able to use....
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFDoi+hcC3lWbTT17ARAhn2AKCTJyJf+7peWglyqknHIRAWapn4UwCfU1da
CynW+cHCFufOvv4Qm6G/7aM=
=nTlP
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]