Monday, November 29, 2010

Login notifications, pam_exec scripting

If you like monitoring, you might want to receive notifications at every (or only root) login, in addition to logs.

/etc/profile, bashrc, etc.

One can first think of a script in /etc/profile - I saw that solution on many websites - but it is wrong because the user can connect with ssh /bin/sh and it will not run any login script. Also, this kind of login does not appear in last/wtmp but only in auth.log by sshd (because it's not considered as an "interactive login").

Saturday, November 06, 2010

Exec race condition exploitations

I recently learned a cool technique for exploiting exec race conditions. It was mentioned in a comment by Julien Tinnes about the 2009 pulseaudio vulnerability in Linux, and more recently by Tavis Ormandy (@taviso) about the GNU C library dynamic linker expanding $ORIGIN in setuid library search path vulnerability. I am sure that many people know this for ages, but still it was new to me and I thought it was worth a small post on it.

Monday, November 01, 2010 CTF - Challenge 19 "magicwall" writeup, double strcpy

I did not solve challenge 19 "magicwall" during the CTF - my friend Ivanlef0u (@Ivanlef0u) did - but since Fluxfingers (@fluxfingers) kept the CTF online, I had the chance to pwn it too! Just like challenge 20 "sscat", it was binary exploitation.

Hellman (@hellman1908) already made a very good writeup, I just wanted to share my different method.