Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Mac symlink attack techniques?

from [Jon Hart] Network Security [Permanent Link]
Subject: Re: Mac symlink attack techniques?
Date: Mon, 14 Apr 2008 19:54:48 -0700 
On Mon, Apr 14, 2008 at 10:59:05AM +0200, Marco Ivaldi wrote:

Just a few hints off the top of my head. Specific to Mac OS X:

http://www.milw0rm.com/exploits/2737
http://www.milw0rm.com/exploits/3386

Other platforms:

http://www.0xdeadbeef.info/exploits/raptor_libnspr2
http://www.0xdeadbeef.info/exploits/raptor_libnspr3
http://www.0xdeadbeef.info/exploits/raptor_prctl2.c
http://www.milw0rm.com/exploits/792


Thanks.  The Mac OS X examples you gave were exactly what I needed.  It
has been a while since I've had to exploit race conditions on a Mac so
my brain was a bit rusty in that respect.  I guess the reality here is
that the particular conditions in play here are really no different than
they would be on a box other than a Mac.

cron is a great way of taking advantage of this particular situation.
Without being able to take advantage of this particular flaw, the
remainder of the flaws in this particular application only lead to
gaining the privileges of another user, not root.  Those could be
further exploited but I'm a fan of instant gratification.

Cheers,

-jon


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: get MD5-Hash from /etc/shadow file, admin
Next by Date:  Re: Check if addresses from AS in a black list, Trygve Aasheim
Previous by Thread:  Re: Mac symlink attack techniques?, Marco Ivaldi
Next by Thread:  DEF CON 16 Retro Announcement! Back to Bang!, The Dark Tangent
Indexes:  [Date] [Thread] [Top] [All Lists]