Hello List, 100% reliable exploitation of file system time races (TOCTOU vulnerabilities) may be hard as the timing depends on numerous target system parameters (CPU cores, load, memory pressure, file system type, ...). Instead of optimizing the exploit to win the real race, the timing of Firejail stderr and stdout output was analyzed. With the correct parameters known the Firejail process can be frozen exactly in the right moment when attempting to write a message to a filled pipe (blocking write). Thus the exploit has any time in the world to modify the file system before restarting Firejail by emptying the pipe again.
The technique proved useful to cut down the time required from vulnerability discovery to creating a working exploit using the recipy given in [1]. [1] https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/ [2] https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/UnjailMyHeart.c [3] https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt Kind regards, Roman Fiedler | | DI Roman Fiedler | / roman.fiedler at unparalleled.eu +43 677 63 29 28 29 / | Unparalleled IT Services e.U. FN: 516074h VAT: ATU75050524 | | https://unparalleled.eu/ Felix-Dahn-Platz 4, 8010 Graz, Austria _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
