From: Jon Hart (jhart@spoofed.org)
Date: Fri Apr 11 2008 - 03:52:54 EDT
Greetings,
I'm curious if anyone has some input on this. I am in a situation where
I am able to perform a symlink attack against a process that runs as
root on a Mac. The catch is that I can create files that don't exist
and get them be created mode 666 for world writable goodness, but if the
symlink points to a file that already exists all I can do is clobber its
content with garbage.
Clearly, havoc can be made by trashing important files, but I'm looking
for an elegant and quick method for privilege escalation. Is
/etc/ld.so.conf my only option?
Any input would be appreciated.
Thanks!
-jon
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:30 EDT