9 Feb
2017
9 Feb
'17
10:16 p.m.
On 2/9/2017 1:03 PM, Leonard den Ottolander wrote:
Not necessarily. Suppose the adversary is aware of a root exploit/privilege escalation in a random library. Then the heap spraying allows this attacker to easily trigger this exploit because he is able to initialize the entire contents of the heap to his liking and thus call whatever function he likes, including the one that will cause the root exploit.
if the adversary is aware of this exploit and has a login (required to invoke pkexec in the first place), they can simply execute a C program to invoke it, they don't need to mess about with what you're describing.
--
john r pierce, recycling bits in santa cruz