Re: Mac symlink attack techniques?

[Jon Hart <jhart () spoofed org>]

On Mon, Apr 14, 2008 at 10:59:05AM +0200, Marco Ivaldi wrote:
> Just a few hints off the top of my head. Specific to Mac OS X:
>
> http://www.milw0rm.com/exploits/2737
> http://www.milw0rm.com/exploits/3386
>
> Other platforms:
>
> http://www.0xdeadbeef.info/exploits/raptor_libnspr2
> http://www.0xdeadbeef.info/exploits/raptor_libnspr3
> http://www.0xdeadbeef.info/exploits/raptor_prctl2.c
> http://www.milw0rm.com/exploits/792

Thanks.  The Mac OS X examples you gave were exactly what I needed.  It
has been a while since I've had to exploit race conditions on a Mac so
my brain was a bit rusty in that respect.  I guess the reality here is
that the particular conditions in play here are really no different than
they would be on a box other than a Mac.

cron is a great way of taking advantage of this particular situation.
Without being able to take advantage of this particular flaw, the
remainder of the flaws in this particular application only lead to
gaining the privileges of another user, not root.  Those could be
further exploited but I'm a fan of instant gratification.

Cheers,

-jon


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------