Even if bzexe is not used that much, I found similar configurations (compressed binaries launched via crond) on embedded systems (I think this is why bzexe was made for).
This is true, your correct , but then, you dont have to even use a compression agent.. there is still many other holes not even being discussed.. that will 100% give you root I guess thts why theyre not being discussed tho eh ;) You dont even have to go *this* far to gain root...i mean, using some compression agent, etc etc, and rely on a bug in the binary of a compression agent, although i have said that there has been MANY bugs in this softwares for many years now.. in some earlier post, so i am really wondering why this one is even gone to seclists about it, where there is no proof it gains root atall. just a friendly blackhat tip of the hit to you. cheers. xd On 26 October 2011 05:54, vladz <[email protected]> wrote: > > Hi, > > On Tue, Oct 25, 2011 at 12:06:25PM +0200, Tavis Ormandy wrote: > > xD 0x41 <[email protected]> wrote: > > > Your 'race condition possibly leading to root'is a myth... > > > Yes thats maybe because race condition or not, it is ASLR wich will > > > prevent from ANY rootshell,and Yes, it has bveen tried... You can do > > > better, go right ahed ;-) I am betting you thats why it aint being > ptached > > > in any hurry, because obv if you read some notes about it in the > committs, > > > you will see they must have reproduced the said bugs, in and with, more > > > than JUST bzexe even... but anyhow, your PoC is bs. > > > > I think you misunderstood, he's not talking about memory corruption, his > > attack sounds like a legitimate filesystem race. I'll try to explain, the > > bzexe utility compresses executables and then decompresses them at > runtime > > by prepending a decompression stub. > > Thank you for explaining him, I thought he was not replying to the good > thread. > > > I think it's quite a nice example, and a nice simple solution. Imagine a > > system where crond executes a bzexe utility at regular intervals, Vladz' > > attack will eventually succeed. > > Even if bzexe is not used that much, I found similar configurations > (compressed binaries launched via crond) on embedded systems (I think > this is why bzexe was made for). > > vladz. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
