[CentOS] Serious attack vector on pkcheck ignored by Red Hat
Leonard den Ottolander
leonard at den.ottolander.nl
Thu Feb 9 21:03:47 UTC 2017
On Thu, 2017-02-02 at 13:40 -0800, Gordon Messmer wrote:
> Escalation *requires* attacking a program in a security context other
> than your own.
Not necessarily. Suppose the adversary is aware of a root
exploit/privilege escalation in a random library. Then the heap spraying
allows this attacker to easily trigger this exploit because he is able
to initialize the entire contents of the heap to his liking and thus
call whatever function he likes, including the one that will cause the
root exploit.
So even though the heap spraying is not an attack in itself it is a
serious "crow bar" i.e. attack vector.
If you read the article carefully the author makes no claims that the
setuid on the binary is a necessity. He clearly states he is "giving
himself a break" by using a setuid binary.
Regards,
Leonard.
--
mount -t life -o ro /dev/dna /genetic/research
More information about the CentOS
mailing list