On Thu, 27 Oct 2011 10:31:12 PDT, Andrew Farmer said: > And systems like inotify make filesystem races trivial to win. I > wouldn't be surprised if you could win this particular race reliably by > watching for the files bzexe drops and acting immediately when they show > up. Good point. That actually has multiple benefits - first off, you don't have a 'while (1)' loop in your code that's easily spotted on a 'ps' or 'top'. So you can afford to set the inotify and wait (potentially days, if needed) with less chance of detection. And then when the inotify pops and tells you your file is ready to be exploited, the circumstances of returning from the blocked syscall will tend to give your process a scheduling boost, improving your chances of winning the race because you'll schedule soon. It's amazing how many optimizations people are coming up for a vulnerability that some were saying is impossible to exploit. ;)
Attachment:
pgpa1LuLaQRDI.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/