Full Disclosure mailing list archives
Re: CAU-2008-0001 - Slowly Closing Door RaceCondition
From: "Garrett M. Groff" <groffg () gmgdesign com>
Date: Tue, 1 Apr 2008 10:44:27 -0400
Although, in all seriousness, I can imagine "physical world" things being compromised, possibly via software attacks alone (or, equally likely, a single disgruntled employee). Allow me to explain using a particular example: safes. Companies that make safes (be they old-fashioned mechanical or electronic) often have records of their combinations corresponding to a unique serial number for each safe. Yes, they have an electronic database of all the combinations for all their safes. In the case of electronic safes, this combination is often un-changeable; the user of the safe can use that factory default code initially to create a "user combination" that can open the safe, but can later be changed (if you wish to disallow that user access later on). Anyway, the factory default combination can't be changed and is in a database somewhere. This presents a convenience on the part of the business that produces the safes (avoids angry customers who are locked out of their safes) but reduces security for all users of that company's products. I understand the business case for keeping records of all combinations for all safes, but the downside is security in the event that that list/database is ever leaked. - G ----- Original Message ----- From: evilrabbi To: Nate McFeters Cc: full-disclosure () lists grok org uk ; bugtraq () securityfocus com Sent: Tuesday, April 01, 2008 9:58 AM Subject: Re: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door RaceCondition Why would you realease something like this without telling the vendor? What you did is irresponsible. On Tue, Apr 1, 2008 at 12:18 AM, Nate McFeters <nate.mcfeters () gmail com> wrote: Hahaha, nice find. On 4/1/08, I)ruid <druid () caughq org> wrote: ____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Security Advisory ===============/======================================================== Advisory ID: CAU-2008-0001 Release Date: 04/01/2008 Title: Slowly Closing Door Race Condition Application/OS: Physical Structures Topic: Physical structures employing exit doors with locks are vulnerable to a race condition. Vendor Status: Not Notified Attributes: Physical, Race Condition Advisory URL: http://www.caughq.org/advisories/CAU-2008-0001.txt Author/Email: CAU <advisories (at) caughq.org> ===============/======================================================== Overview ======== Physical structures which employ automatically locking doors to secure exit points expose a race condition which may allow unauthorized entry. Impact ====== Malicious outsiders may be able to enter a structure via an exit point. Exit points may additionally provide an exit from a secure area of the structure, allowing an outsider entering through the exit point to gain direct access to the secure area. Affected Systems ================ Physical structures which employ automatically locking doors at exit points of the structure. Technical Explanation ===================== An exit's lock[1] generally converts a two-way door into a one-way door, allowing a person to traverse the door's threshold in one direction but not in the other. These types of locks are used to secure exit points of structures so that people may exit via the door but not re-enter without disabling the lock through force or authentication. When a person exits the structure through an exit point which is secured by such a mechanism, a race condition exists wherein a malicious outsider may be able to reach the door and enter through it before it closes and locks itself. Many doors, especially heavier ones, also employ closing mechanisms[2] which are designed to cause the door to close slowly so as not to slam the door shut and damage the door frame, or damage any human appendage which may be in between the door and it's frame. Such closing mechanisms can greatly increase the amount of time that the race condition exists. Solution & Recommendations ========================== 1) Always ensure that personnel exiting an exit door wait outside the door until it has completely closed and locked before walking away. 2) Employ a double door system such as is used in an air-lock where the interior door must be secured prior to the exterior door being allowed to open. Exploitation ============ First identify the exit point that you want to exploit. Stand at a safe distance during a high-traffic time and watch for people to use the exit point. Time how long it takes for the door to close and lock itself when someone traverses the exit point. Next, identify a safe hiding place near the exit point, preferably in a direction that would be behind a person exiting the door, but which is within a distance to the exit point which you could traverse in under the door's closing time at a brisk pace or run. Finally, hide in this location during a lower traffic time and wait for someone to utilize the exit point. After they have exited the door and are walking away, run to the door and enter before it has closed and locked. Extra points are awarded for a spectacular dive and/or roll to catch the door at the very last second. References ========== [1] http://en.wikipedia.org/wiki/Lock_%28device%29 [2] http://en.wikipedia.org/wiki/Door_closer Credits & Gr33ts ================ Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214 -- I)ruid, CĀ²ISSP druid () caughq org http://druid.caughq.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- -- h0 h0 h0 -- www.nopsled.net ------------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: CAU-2008-0001 - Slowly Closing Door Race Condition evilrabbi (Apr 01)
- Re: CAU-2008-0001 - Slowly Closing Door Race Condition Razi Shaban (Apr 01)
- Re: CAU-2008-0001 - Slowly Closing Door Race Condition I)ruid (Apr 01)
- Re: CAU-2008-0001 - Slowly Closing Door RaceCondition Garrett M. Groff (Apr 01)