On Thu, 2017-02-02 at 13:40 -0800, Gordon Messmer wrote:
Escalation *requires* attacking a program in a security context other than your own.
Not necessarily. Suppose the adversary is aware of a root exploit/privilege escalation in a random library. Then the heap spraying allows this attacker to easily trigger this exploit because he is able to initialize the entire contents of the heap to his liking and thus call whatever function he likes, including the one that will cause the root exploit.
So even though the heap spraying is not an attack in itself it is a serious "crow bar" i.e. attack vector.
If you read the article carefully the author makes no claims that the setuid on the binary is a necessity. He clearly states he is "giving himself a break" by using a setuid binary.
Regards, Leonard.