<HTML>
<HEAD>
<TITLE>Re: [Full-disclosure] CAU-2008-0001 - Slowly Closing Door Race Condition</TITLE>
</HEAD>
<BODY>
<FONT SIZE="4"><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>I saw Nate do a 0day sploit on this at the Hard Rock Amsterdam!<BR>
<BR>
<BR>
On 3/31/08 10:18 PM, "Nate McFeters" <nate.mcfeters@gmail.com> wrote:<BR>
<BR>
</SPAN></FONT></FONT><BLOCKQUOTE><FONT SIZE="4"><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hahaha, nice find.<BR>
<BR>
On 4/1/08, <B>I)ruid</B> <druid@caughq.org> wrote: <BR>
</SPAN></FONT></FONT><BLOCKQUOTE><FONT SIZE="4"><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'> ____ ____ __ __<BR>
/ \ / \ | | | |<BR>
----====####/ /\__\##/ /\ \##| |##| |####====----<BR>
| | | |__| | | | | |<BR>
| | ___ | __ | | | | |<BR>
------======######\ \/ /#| |##| |#| |##| |######======------<BR>
\____/ |__| |__| \______/<BR>
<BR>
Computer Academic Underground<BR>
<a href="http://www.caughq.org">http://www.caughq.org</a><BR>
Security Advisory<BR>
<BR>
===============/========================================================<BR>
Advisory ID: CAU-2008-0001<BR>
Release Date: 04/01/2008<BR>
Title: Slowly Closing Door Race Condition<BR>
Application/OS: Physical Structures<BR>
Topic: Physical structures employing exit doors with locks<BR>
are vulnerable to a race condition.<BR>
Vendor Status: Not Notified<BR>
Attributes: Physical, Race Condition<BR>
Advisory URL: <a href="http://www.caughq.org/advisories/CAU-2008-0001.txt">http://www.caughq.org/advisories/CAU-2008-0001.txt</a><BR>
Author/Email: CAU <advisories (at) caughq.org <a href="http://caughq.org"><http://caughq.org></a> ><BR>
===============/========================================================<BR>
<BR>
Overview<BR>
========<BR>
<BR>
Physical structures which employ automatically locking doors to secure<BR>
exit points expose a race condition which may allow unauthorized entry.<BR>
<BR>
<BR>
Impact<BR>
======<BR>
<BR>
Malicious outsiders may be able to enter a structure via an exit point.<BR>
<BR>
Exit points may additionally provide an exit from a secure area of the<BR>
structure, allowing an outsider entering through the exit point to gain<BR>
direct access to the secure area.<BR>
<BR>
<BR>
Affected Systems<BR>
================<BR>
<BR>
Physical structures which employ automatically locking doors at exit<BR>
points of the structure.<BR>
<BR>
<BR>
Technical Explanation<BR>
=====================<BR>
<BR>
An exit's lock[1] generally converts a two-way door into a one-way<BR>
door, allowing a person to traverse the door's threshold in one<BR>
direction but not in the other. These types of locks are used to<BR>
secure exit points of structures so that people may exit via the door<BR>
but not re-enter without disabling the lock through force or<BR>
authentication.<BR>
<BR>
When a person exits the structure through an exit point which is<BR>
secured by such a mechanism, a race condition exists wherein a<BR>
malicious outsider may be able to reach the door and enter through it<BR>
before it closes and locks itself.<BR>
<BR>
Many doors, especially heavier ones, also employ closing mechanisms[2]<BR>
which are designed to cause the door to close slowly so as not to slam<BR>
the door shut and damage the door frame, or damage any human appendage<BR>
which may be in between the door and it's frame. Such closing<BR>
mechanisms can greatly increase the amount of time that the race<BR>
condition exists.<BR>
<BR>
<BR>
Solution & Recommendations<BR>
==========================<BR>
<BR>
1) Always ensure that personnel exiting an exit door wait outside the<BR>
door until it has completely closed and locked before walking<BR>
away.<BR>
<BR>
2) Employ a double door system such as is used in an air-lock where<BR>
the interior door must be secured prior to the exterior door being<BR>
allowed to open.<BR>
<BR>
<BR>
Exploitation<BR>
============<BR>
<BR>
First identify the exit point that you want to exploit. Stand at a<BR>
safe distance during a high-traffic time and watch for people to use<BR>
the exit point. Time how long it takes for the door to close and<BR>
lock itself when someone traverses the exit point.<BR>
<BR>
Next, identify a safe hiding place near the exit point, preferably<BR>
in a direction that would be behind a person exiting the door, but<BR>
which is within a distance to the exit point which you could traverse<BR>
in under the door's closing time at a brisk pace or run.<BR>
<BR>
Finally, hide in this location during a lower traffic time and wait<BR>
for someone to utilize the exit point. After they have exited the<BR>
door and are walking away, run to the door and enter before it has<BR>
closed and locked. Extra points are awarded for a spectacular dive<BR>
and/or roll to catch the door at the very last second.<BR>
<BR>
<BR>
References<BR>
==========<BR>
<BR>
[1] <a href="http://en.wikipedia.org/wiki/Lock_%28device%29">http://en.wikipedia.org/wiki/Lock_%28device%29</a><BR>
[2] <a href="http://en.wikipedia.org/wiki/Door_closer">http://en.wikipedia.org/wiki/Door_closer</a><BR>
<BR>
<BR>
Credits & Gr33ts<BR>
================<BR>
<BR>
Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214<BR>
<BR>
<BR>
--<BR>
I)ruid, C”ISSP<BR>
druid@caughq.org<BR>
<a href="http://druid.caughq.org">http://druid.caughq.org</a><BR>
<BR>
_______________________________________________<BR>
Full-Disclosure - We believe in it.<BR>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><BR>
Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><BR>
<BR>
<BR>
<BR>
<HR ALIGN=CENTER SIZE="3" WIDTH="95%"></SPAN></FONT></FONT></BLOCKQUOTE><FONT SIZE="4"><FONT FACE="Consolas, Courier New, Courier"><SPAN STYLE='font-size:10pt'>_______________________________________________<BR>
Full-Disclosure - We believe in it.<BR>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><BR>
Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><BR>
</SPAN></FONT></FONT></BLOCKQUOTE><FONT SIZE="4"><FONT FACE="Consolas, Courier New, Courier"><SPAN STYLE='font-size:10pt'><BR>
</SPAN></FONT></FONT><FONT FACE="Verdana, Helvetica, Arial"><SPAN STYLE='font-size:9pt'>Thanks,<BR>
David Weston<BR>
Security Engineer<BR>
Science Application International Corporation<BR>
Web: <a href="http://www.saic.com/infosec">http://www.saic.com/infosec</a><BR>
Email:DAVID.G.WESTON@saic.com<BR>
Office:858-826-5435<BR>
Cell: 310-866-9713</SPAN><FONT SIZE="4"><SPAN STYLE='font-size:11pt'><BR>
</SPAN></FONT></FONT>
</BODY>
</HTML>