Collaborate Disseminate
I am sure others have analyzed this scenario before, but I cannot find a source.
Assume:
Attacker has an account on the system
Victim has an account on the system
Victim runs MyProg
There is a bug in MyProg: It creates a temporary file, b… Continue reading Is privilege escalation possible if Attacker can force Victim to write to symlink set by Attacker?
As the following code, there have a gid check, and in order to pass this check, I have to pass the currently executing file as the argument when I execute.
I was wondering how can I replace this file in order to get the bash?
It’s an obvio… Continue reading How to replace a file under gid checking?
I’m peparing for OSCP and I found an interesting situation (Alpine Linux).
There is a daemon super_service executed by root that is reading configuration file from /var/super_service/configs/ which is a symbolic link to location that my … Continue reading Looking for a way to overwrite a symbolic link
Linux-based systems are vulnerable to symlink race attacks from unprivileged UID processes. For example, a PHP process can create a symlink to /etc/passwd in a directory where Apache httpd will serve it to the Internet. For e… Continue reading Protecting Linux systems from symlink attacks [migrated]
Have you heard it said that everything in Linux is a file? That is largely true, and that’s why the ability to manipulate files is crucial to mastering Linux Fu.
One thing that makes a Linux filesystem so versatile is the ability for a file to be many places at once. It boils down to keeping the file in one place but using it in another. This is handy to keep disk access snappy, to modify a running system, or merely to keep things organized in a way that suits your needs.
There are several key features that lend to …read more
Continue reading Linux Fu: File Aliases, Links, and Mappings
I think I need to allow wide links of some kind, to handle a set of mountpoints in Samba.
The actual scenario is that I want to make a dataset’s /.zfs/snapshot (and some of its descendant individual snaps and some of their… Continue reading In Samba, what is the security difference between "wide links" and "insecure wide links"?
I found a vulnerability in one of my managed website where I can give any name to the symlink file name source link. I cannot control the target directory link though. Also I can create as many symlinks in that directory with… Continue reading Symlink file name – possible exploit?
We received a bug report (phrased as a security issue) for a program, which stated that when the program creates files on disk, it does not first verify if a symbolic link exists at the file path to be created. Because of tha… Continue reading Should programs check for symlinks before creating files?
I used the metasploit module auxiliary/admin/mysql/mysql_enum for enumerating mysql db.
This is the text of results:
Allow Use of symlinks for Database Files: YES
What is symlinks for database files? can I access to anothe… Continue reading Linux symlink to database file
I have been given a security specification document that contains some rules about the product I currently work on (docker containers). One of them states that:
All broken symlinks must be removed.
My question is, why a… Continue reading Do broken symlinks pose a security threat?