Johnny Hughes wrote:
On 02/15/2017 09:37 AM, Leonard den Ottolander wrote:
On Thu, 2017-02-09 at 15:27 -0700, Warren Young wrote:
So you’ve now sprayed the heap on this system, but you can’t upload
anything else to it because noexec, so…now what? What has our nefarious attacker gained?
So the heap is set with data provided by the (local) attacker who could
initialize it to his liking using either of the two memory leaks in the options parsing.
The heap, that is entirely under the control of the attacker, now
contains a call to a library with parameters such that it invokes a zero day kernel escalation privilege exploit. And now the exploit will run because pkcheck allowed the attacker to initialize its entire heap via the command line. <snip> I've skipped most of this thread, but went through this post, and excuse me if this sounds like a stupid question... but when the attacker runs their job, isn't it *THEIR* heap, one allocated for this PID, and not any other, such as the heap allocated for PID 1?
mark