On 2/9/2017 1:03 PM, Leonard den Ottolander wrote: > Not necessarily. Suppose the adversary is aware of a root > exploit/privilege escalation in a random library. Then the heap spraying > allows this attacker to easily trigger this exploit because he is able > to initialize the entire contents of the heap to his liking and thus > call whatever function he likes, including the one that will cause the > root exploit. if the adversary is aware of this exploit and has a login (required to invoke pkexec in the first place), they can simply execute a C program to invoke it, they don't need to mess about with what you're describing. -- john r pierce, recycling bits in santa cruz