Hanno Böck <ha...@hboeck.de> wrote: > Am Monday 18 October 2010 schrieb Tavis Ormandy: > > # Open a file descriptor to the target binary (note: some users are > > surprised # to learn exec can be used to manipulate the redirections of > > the current # shell if a command is not specified. This is what is > > happening below). $ exec 3< /tmp/exploit/target > > I tried to reproduce this on Gentoo and it fails at this point. It seems > the reason is that suid-binaries are not world-readable on Gentoo (on > Debian they are) - this seems to be a useful security measure. >
Hi Hanno, I explained why this is insufficient in the Notes section of my advisory, along with some example code to circumvent this. Tavis. -- ------------------------------------- tav...@cmpxchg8b.com | pgp encrypted mail preferred ------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/