Hahaha, nice find.<br><br>
<div><span class="gmail_quote">On 4/1/08, <b class="gmail_sendername">I)ruid</b> <<a href="mailto:druid@caughq.org">druid@caughq.org</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"> ____ ____ __ __<br> / \ / \ | | | |<br> ----====####/ /\__\##/ /\ \##| |##| |####====----<br>
| | | |__| | | | | |<br> | | ___ | __ | | | | |<br>------======######\ \/ /#| |##| |#| |##| |######======------<br> \____/ |__| |__| \______/<br>
<br> Computer Academic Underground<br> <a href="http://www.caughq.org">http://www.caughq.org</a><br> Security Advisory<br><br>===============/========================================================<br>
Advisory ID: CAU-2008-0001<br>Release Date: 04/01/2008<br>Title: Slowly Closing Door Race Condition<br>Application/OS: Physical Structures<br>Topic: Physical structures employing exit doors with locks<br>
are vulnerable to a race condition.<br>Vendor Status: Not Notified<br>Attributes: Physical, Race Condition<br>Advisory URL: <a href="http://www.caughq.org/advisories/CAU-2008-0001.txt">http://www.caughq.org/advisories/CAU-2008-0001.txt</a><br>
Author/Email: CAU <advisories (at) <a href="http://caughq.org">caughq.org</a>><br>===============/========================================================<br><br>Overview<br>========<br><br>Physical structures which employ automatically locking doors to secure<br>
exit points expose a race condition which may allow unauthorized entry.<br><br><br>Impact<br>======<br><br>Malicious outsiders may be able to enter a structure via an exit point.<br><br>Exit points may additionally provide an exit from a secure area of the<br>
structure, allowing an outsider entering through the exit point to gain<br>direct access to the secure area.<br><br><br>Affected Systems<br>================<br><br>Physical structures which employ automatically locking doors at exit<br>
points of the structure.<br><br><br>Technical Explanation<br>=====================<br><br>An exit's lock[1] generally converts a two-way door into a one-way<br>door, allowing a person to traverse the door's threshold in one<br>
direction but not in the other. These types of locks are used to<br>secure exit points of structures so that people may exit via the door<br>but not re-enter without disabling the lock through force or<br>authentication.<br>
<br>When a person exits the structure through an exit point which is<br>secured by such a mechanism, a race condition exists wherein a<br>malicious outsider may be able to reach the door and enter through it<br>before it closes and locks itself.<br>
<br>Many doors, especially heavier ones, also employ closing mechanisms[2]<br>which are designed to cause the door to close slowly so as not to slam<br>the door shut and damage the door frame, or damage any human appendage<br>
which may be in between the door and it's frame. Such closing<br>mechanisms can greatly increase the amount of time that the race<br>condition exists.<br><br><br>Solution & Recommendations<br>==========================<br>
<br>1) Always ensure that personnel exiting an exit door wait outside the<br> door until it has completely closed and locked before walking<br> away.<br><br>2) Employ a double door system such as is used in an air-lock where<br>
the interior door must be secured prior to the exterior door being<br> allowed to open.<br><br><br>Exploitation<br>============<br><br>First identify the exit point that you want to exploit. Stand at a<br>safe distance during a high-traffic time and watch for people to use<br>
the exit point. Time how long it takes for the door to close and<br>lock itself when someone traverses the exit point.<br><br>Next, identify a safe hiding place near the exit point, preferably<br>in a direction that would be behind a person exiting the door, but<br>
which is within a distance to the exit point which you could traverse<br>in under the door's closing time at a brisk pace or run.<br><br>Finally, hide in this location during a lower traffic time and wait<br>for someone to utilize the exit point. After they have exited the<br>
door and are walking away, run to the door and enter before it has<br>closed and locked. Extra points are awarded for a spectacular dive<br>and/or roll to catch the door at the very last second.<br><br><br>References<br>
==========<br><br>[1] <a href="http://en.wikipedia.org/wiki/Lock_%28device%29">http://en.wikipedia.org/wiki/Lock_%28device%29</a><br>[2] <a href="http://en.wikipedia.org/wiki/Door_closer">http://en.wikipedia.org/wiki/Door_closer</a><br>
<br><br>Credits & Gr33ts<br>================<br><br>Theodor Geisel, AHA!, NMRC, Uninformed Journal, dc214<br><br><br>--<br>I)ruid, C˛ISSP<br><a href="mailto:druid@caughq.org">druid@caughq.org</a><br><a href="http://druid.caughq.org">http://druid.caughq.org</a><br>
<br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br><br></blockquote></div><br>