razishaban at gmail
Apr 1, 2008, 7:22 AM
Post #4 of 5
(302 views)
Permalink
|
|
Re: CAU-2008-0001 - Slowly Closing Door Race Condition
[In reply to]
|
|
April Fools!
--
Razi
On 4/1/08, evilrabbi <evilrabbi [at] gmail> wrote:
> Why would you realease something like this without telling the vendor? What
> you did is irresponsible.
>
>
>
> On Tue, Apr 1, 2008 at 12:18 AM, Nate McFeters <nate.mcfeters [at] gmail>
> wrote:
>
> > Hahaha, nice find.
> >
> >
> > On 4/1/08, I)ruid <druid [at] caughq> wrote:
> > > ____ ____ __ __
> > > / \ / \ | | | |
> > > ----====####/ /\__\##/ /\ \##| |##|
> |####====----
> > > | | | |__| | | | | |
> > > | | ___ | __ | | | | |
> > > ------======######\ \/ /#| |##| |#| |##|
> |######======------
> > > \____/ |__| |__| \______/
> > >
> > >
> > >
> > >
> > > Computer Academic Underground
> > > http://www.caughq.org
> > > Security Advisory
> > >
> > >
> ===============/========================================================
> > > Advisory ID: CAU-2008-0001
> > > Release Date: 04/01/2008
> > > Title: Slowly Closing Door Race Condition
> > > Application/OS: Physical Structures
> > > Topic: Physical structures employing exit doors with locks
> > > are vulnerable to a race condition.
> > > Vendor Status: Not Notified
> > > Attributes: Physical, Race Condition
> > > Advisory URL:
> http://www.caughq.org/advisories/CAU-2008-0001.txt
> > > Author/Email: CAU <advisories (at) caughq.org>
> > >
> ===============/========================================================
> > >
> > > Overview
> > > ========
> > >
> > > Physical structures which employ automatically locking doors to secure
> > > exit points expose a race condition which may allow unauthorized entry.
> > >
> > >
> > > Impact
> > > ======
> > >
> > > Malicious outsiders may be able to enter a structure via an exit point.
> > >
> > > Exit points may additionally provide an exit from a secure area of the
> > > structure, allowing an outsider entering through the exit point to gain
> > > direct access to the secure area.
> > >
> > >
> > > Affected Systems
> > > ================
> > >
> > > Physical structures which employ automatically locking doors at exit
> > > points of the structure.
> > >
> > >
> > > Technical Explanation
> > > =====================
> > >
> > > An exit's lock[1] generally converts a two-way door into a one-way
> > > door, allowing a person to traverse the door's threshold in one
> > > direction but not in the other. These types of locks are used to
> > > secure exit points of structures so that people may exit via the door
> > > but not re-enter without disabling the lock through force or
> > > authentication.
> > >
> > > When a person exits the structure through an exit point which is
> > > secured by such a mechanism, a race condition exists wherein a
> > > malicious outsider may be able to reach the door and enter through it
> > > before it closes and locks itself.
> > >
> > > Many doors, especially heavier ones, also employ closing mechanisms[2]
> > > which are designed to cause the door to close slowly so as not to slam
> > > the door shut and damage the door frame, or damage any human appendage
> > > which may be in between the door and it's frame. Such closing
> > > mechanisms can greatly increase the amount of time that the race
> > > condition exists.
> > >
> > >
> > > Solution & Recommendations
> > > ==========================
> > >
> > > 1) Always ensure that personnel exiting an exit door wait outside the
> > > door until it has completely closed and locked before walking
> > > away.
> > >
> > > 2) Employ a double door system such as is used in an air-lock where
> > > the interior door must be secured prior to the exterior door being
> > > allowed to open.
> > >
> > >
> > > Exploitation
> > > ============
> > >
> > > First identify the exit point that you want to exploit. Stand at a
> > > safe distance during a high-traffic time and watch for people to use
> > > the exit point. Time how long it takes for the door to close and
> > > lock itself when someone traverses the exit point.
> > >
> > > Next, identify a safe hiding place near the exit point, preferably
> > > in a direction that would be behind a person exiting the door, but
> > > which is within a distance to the exit point which you could traverse
> > > in under the door's closing time at a brisk pace or run.
> > >
> > > Finally, hide in this location during a lower traffic time and wait
> > > for someone to utilize the exit point. After they have exited the
> > > door and are walking away, run to the door and enter before it has
> > > closed and locked. Extra points are awarded for a spectacular dive
> > > and/or roll to catch the door at the very last second.
> > >
> > >
> > > References
> > > ==========
> > >
> > > [1] http://en.wikipedia.org/wiki/Lock_%28device%29
> > > [2] http://en.wikipedia.org/wiki/Door_closer
> > >
> > >
> > > Credits & Gr33ts
> > > ================
> > >
> > > Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214
> > >
> > >
> > > --
> > > I)ruid, C˛ISSP
> > > druid [at] caughq
> > > http://druid.caughq.org
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
>
> --
> -- h0 h0 h0 --
> www.nopsled.net
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
signature.asc
