Re: Sysmask security challenge: useful or not?

From: azuredu (xiao_at_unice.fr)
Date: 04/22/05


Date: 22 Apr 2005 05:07:26 -0700

It is true that tests using ls and cat don't prove anything and are
useless. However, I don't think you are ready to accept my following
claim, at least without first testing with ls and cat. It is true that
I should have put some more warnings somewhere, but nowadays who is
reading the help pages before typing into the textarea?

I claim that the challenge can be broken only in one of the following
two cases.

1. A stupid bug in the sysmask package. I found one in the first day of
the challenge, which however did not let people get the unreadable
file; no more is propping up thereafter.

By the way, the bug is not yet fixed in the public site, but will be
within a few days.

2. A nasty bug in the kernel, leading to a privilege elevation. Way
more nasty than the recent ones behind sys_uselib() and sys_futex().
What is the probability of such a bug?

So sysmask bug put aside, the challenge is hopeless if you don't have a
privilege elevation which you know how to exploit. All this is well
explained in the documentation; but who is ready to believe such a
claim without first tried some ls and cat? And even having tried?

It is true that many utilities are missing in the environment. But the
first motive is to save place, as everything should go into a cd.
Anyway I'd better leave it this way, for otherwise people would have
more useless things to play with and would waste more time.



Relevant Pages

  • Re: Sysmask security challenge: useful or not?
    ... at least without first testing with ls and cat. ... A stupid bug in the sysmask package. ... > more useless things to play with and would waste more time. ... Doing everything via a web form is not very ...
    (comp.os.linux.security)
  • FTV: Melody gives a hunting lesson
    ... The cat looked at the stove for a while, ... they may bring the bug's cadaver into the living room ... Last Thursday night Melody came up from the basement, ... I let out a shriek and the bug took cover behind my ...
    (rec.pets.cats.anecdotes)
  • Re: FTV: Melody gives a hunting lesson
    ... The cat looked at the stove for a while, ... they may bring the bug's cadaver into the living room ... Last Thursday night Melody came up from the basement, ... I let out a shriek and the bug took cover behind my ...
    (rec.pets.cats.anecdotes)
  • Re: kernel BUG at lib/kernel_lock.c:83! - 2.6.19-1.2895.fc6
    ... kernel was tainted and just look at the "actual message", ... I had no reason to create a bugzilla report because, ... provided in my was interested because it appears to be the same bug ... kernels are completely useless around here along with that phony bug report ...
    (Fedora)
  • Re: Delphi QC Top Voted
    ... It would still be useless because it took 1,5 years to get them fixed. ... Keep customers up to date with their bug reports ... > that a patch isn't forthcoming makes any comment on the efficacy of QC. ...
    (borland.public.delphi.non-technical)