@kurtseifried @kees_cook see:
attacker@dev:/tmp$ ln -s /home/victim/pwnt test
victim@dev:/tmp$ echo hi > test
-bash: test: Permission denied
-
-
Replying to @jduck
@jduck@kees_cook not all tmp vulns need to go "outside" of tmp1 reply 0 retweets 0 likes -
Replying to @kurtseifried
@kurtseifried@kees_cook i don't think it would matter if it was still in /tmp ... it's blocking based on the symlink uid not matching afaik1 reply 0 retweets 0 likes -
Replying to @jduck
@jduck@kees_cook There's lots (to many) apps using /tmp instead of /var/run/app, so even inside of /tmp there are exploits still =(1 reply 0 retweets 0 likes -
Replying to @kurtseifried
@kurtseifried@kees_cook Show me a working exploit and I'll believe you. The kernel changes are not specific to /tmp...2 replies 0 retweets 0 likes -
Replying to @jduck
@jduck@kees_cook for example things that create scripts in /tmp insanely and then execute them1 reply 0 retweets 0 likes -
Replying to @kurtseifried
@kurtseifried@kees_cook That's a neat example, but how does an attacker influence that?1 reply 0 retweets 0 likes -
Replying to @jduck
@jduck@kees_cook toctou, rewrite the script or downloaded content prior to execution. you underestimate how stupid some tmp flaws are
3 replies 0 retweets 0 likes
@kurtseifried some of those insane tools will use subdirectories without checking (mkdir -p /tmp/foo) :(
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.