I saw Nate do a 0day sploit on this at the Hard Rock Amsterdam!
On 3/31/08 10:18 PM, "Nate McFeters" <[EMAIL PROTECTED]> wrote: > Hahaha, nice find. > > On 4/1/08, I)ruid <[EMAIL PROTECTED]> wrote: >> ____ ____ __ __ >> / \ / \ | | | | >> ----====####/ /\__\##/ /\ \##| |##| |####====---- >> | | | |__| | | | | | >> | | ___ | __ | | | | | >> ------======######\ \/ /#| |##| |#| |##| |######======------ >> \____/ |__| |__| \______/ >> >> Computer Academic Underground >> http://www.caughq.org >> Security Advisory >> >> ===============/======================================================== >> Advisory ID: CAU-2008-0001 >> Release Date: 04/01/2008 >> Title: Slowly Closing Door Race Condition >> Application/OS: Physical Structures >> Topic: Physical structures employing exit doors with locks >> are vulnerable to a race condition. >> Vendor Status: Not Notified >> Attributes: Physical, Race Condition >> Advisory URL: http://www.caughq.org/advisories/CAU-2008-0001.txt >> Author/Email: CAU <advisories (at) caughq.org <http://caughq.org> > >> ===============/======================================================== >> >> Overview >> ======== >> >> Physical structures which employ automatically locking doors to secure >> exit points expose a race condition which may allow unauthorized entry. >> >> >> Impact >> ====== >> >> Malicious outsiders may be able to enter a structure via an exit point. >> >> Exit points may additionally provide an exit from a secure area of the >> structure, allowing an outsider entering through the exit point to gain >> direct access to the secure area. >> >> >> Affected Systems >> ================ >> >> Physical structures which employ automatically locking doors at exit >> points of the structure. >> >> >> Technical Explanation >> ===================== >> >> An exit's lock[1] generally converts a two-way door into a one-way >> door, allowing a person to traverse the door's threshold in one >> direction but not in the other. These types of locks are used to >> secure exit points of structures so that people may exit via the door >> but not re-enter without disabling the lock through force or >> authentication. >> >> When a person exits the structure through an exit point which is >> secured by such a mechanism, a race condition exists wherein a >> malicious outsider may be able to reach the door and enter through it >> before it closes and locks itself. >> >> Many doors, especially heavier ones, also employ closing mechanisms[2] >> which are designed to cause the door to close slowly so as not to slam >> the door shut and damage the door frame, or damage any human appendage >> which may be in between the door and it's frame. Such closing >> mechanisms can greatly increase the amount of time that the race >> condition exists. >> >> >> Solution & Recommendations >> ========================== >> >> 1) Always ensure that personnel exiting an exit door wait outside the >> door until it has completely closed and locked before walking >> away. >> >> 2) Employ a double door system such as is used in an air-lock where >> the interior door must be secured prior to the exterior door being >> allowed to open. >> >> >> Exploitation >> ============ >> >> First identify the exit point that you want to exploit. Stand at a >> safe distance during a high-traffic time and watch for people to use >> the exit point. Time how long it takes for the door to close and >> lock itself when someone traverses the exit point. >> >> Next, identify a safe hiding place near the exit point, preferably >> in a direction that would be behind a person exiting the door, but >> which is within a distance to the exit point which you could traverse >> in under the door's closing time at a brisk pace or run. >> >> Finally, hide in this location during a lower traffic time and wait >> for someone to utilize the exit point. After they have exited the >> door and are walking away, run to the door and enter before it has >> closed and locked. Extra points are awarded for a spectacular dive >> and/or roll to catch the door at the very last second. >> >> >> References >> ========== >> >> [1] http://en.wikipedia.org/wiki/Lock_%28device%29 >> [2] http://en.wikipedia.org/wiki/Door_closer >> >> >> Credits & Gr33ts >> ================ >> >> Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214 >> >> >> -- >> I)ruid, CĀ²ISSP >> [EMAIL PROTECTED] >> http://druid.caughq.org >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> Thanks, >> David Weston >> Security Engineer >> Science Application International Corporation >> Web: http://www.saic.com/infosec >> Email:[EMAIL PROTECTED] >> Office:858-826-5435 >> Cell: 310-866-9713
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
