Re: /proc filesystem allows bypassing directory permissions on Linux

> ... another solution -- allow fcntl() to remove read-only and > append-only limitations, so that behaviour is at least explicit. Do not lower security, just to emulate /proc sloppiness. (That would be like fixing a root security bug by doing away with the root password.) Is there anything (curre

Re: /proc filesystem allows bypassing directory permissions on Linux

Hi! (no html, please). >Proc does not need to be fixed, because /proc is referring to a file >inode. Well, that does not mean /proc does not need fixing. >You are expecting transactional behavior in /proc, where /proc only >registers object information. ... >And I think you

Re: /proc filesystem allows bypassing directory permissions on Linux

Pavel, Proc does not need to be fixed, because /proc is referring to a file inode. And due to the fact that it's being presented in /proc as an fd, you treat it as an fd, therefor your expectations do not match. Your assumptions is; because you accessed the world writable file via a read-on

Re: /proc filesystem allows bypassing directory permissions on Linux

Jim, Sorry, but your 'prove' below is wrong! You are opening the locked down file as root and passing that fd as input to the nobody process. So nobody is not opening /dir/file.txt (he can't because he hasn't access to it via /dir) but root is... Therefor the write to the fd is failing, because

{PRL} My Remote File Server Privilege Escalation

# Application:  My Remote File Server             Platforms:    Windows XP Professional SP2 Exploitation: Privilege Escalation Date:         2009-10-26 Author:       Francis Provencher (Protek Research Lab's)

Re: /proc filesystem allows bypassing directory permissions on Linux

Marco Verschuur wrote: > Your assumption that the same file descriptor is being re-opened is > wrong! The file descriptor retrieved via /proc is a new one. It is > not the same as the initial read-only. Yes, I totally agree. > Therefor it's totally of no influence what you do with the original

Re: /proc filesystem allows bypassing directory permissions on Linux

Hi! > Your assumption that the same file descriptor is being re-opened is > wrong! > The file descriptor retrieved via /proc is a new one. It is not the > same as the > initial read-only. True, we were just being sloppy with the words. But it does not matter one iota. > As Martin Rex already exp

Re: /proc filesystem allows bypassing directory permissions on Linux

Jim, Your assumption that the same file descriptor is being re-opened is wrong! The file descriptor retrieved via /proc is a new one. It is not the same as the initial read-only. Do a strace on your test and you will see that the 'file descriptor' in /proc will be accessed as an ordinairy

CVE-2009-1979 (Oracle RDBMS)

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi. This vulnerability was ranked 10.0 (for Windows) in CPUoct2009 and related to improper AUTH_SESSKEY parameter length validation. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html Executable + source code att

Windows Media Player Plugin: Local File Detection Vulnerability

*** Windows Media Player Plugin: Local File Detection Vulnerability *** A design flaw in Windows Media Player 11 allows a remote attacker to determine the presence of local files (programs, documents, etc.). I sent an e-mail to Microsoft (nearly a year ago) but they never responded… Windows Med

PSAtr v1.2 Sql Injection

## Securitylab.ir # Application Info: # Name: PSArt # Version: 1.2 # # Discoverd By: Securitylab.ir # Website: http://securitylab.ir # Contacts: admin[at]securitylab.ir & i...@sec

CubeCart 4 Session Management Bypass

CubeCart 4 Session Management Bypass Release Date: 2009/10/29 Author: Bogdan Calin (bogdan [at] acunetix [dot] com) Severity: Critical Vendor Status: Vendor has released an updated version I. Background >From Wikipedia: CubeCart is a free-to-use eCommerce software solution, designed to allow ind

[ MDVSA-2009:291 ] jetty5

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:291 http://www.mandriva.com/security/

com_jumi / jumi 2.0.5 for joomla 1.5 backdoored

Summary: another backdoored joomla component (yawn) Application: Jumi, a joomla component About Jumi: Jumi is the set of custom code extensions for Joomla! 1.0.x and 1.5.x in their native modes. Since 2006 more then 200.000 downloads. With Jumi you can include php, html, javascript scripts

[SECURITY] [DSA 1923-1] New libhtml-parser-perl packages fix denial of service

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-1923-1secur...@debian.org http://www.debian.org/security/ Nico Golde October 27th, 2009

Re: /proc filesystem allows bypassing directory permissions on

Hi! > There are two conceivable approaches to implementing the open() for > a filedescriptor shown in /proc. Either go throuh the inode and > check the access permissions on the file at the current time > (which is a sensible implementation and what the kernel seems > to be currently doing), or i

SafeNet SoftRemote Local Buffer Overflow - Security Advisory - SOS-09-008

SafeNet SoftRemote Local Buffer Overflow - Security Advisory - SOS-09-008 Release Date. 30-Oct-2009 Vendor Notification Date. 20-Jul-2009 Product. SafeNet SoftRemote Platform. Microsoft Windows Affected versions. 10.8.5

Re: /proc filesystem allows bypassing directory permissions on Linux

> > 0700 mode from the origin, you would be right, and procfs wouldn't allow > > opening files in that directory too, but if you let others to traverse > > that directory and open your believed to be secure files from the origin, > > it's your fault. > > I can do the example with fd passing and