[CentOS] Serious attack vector on pkcheck ignored by Red Hat

Thu Feb 2 14:22:16 UTC 2017
Leonard den Ottolander <leonard at den.ottolander.nl>

Based on an article that was mentioned on this list 

https://googleprojectzero.blogspot.nl/2014/08/the-poisoned-nul-byte-2014-edition.html

I found two attacker controlled memory leaks in the option parsing of
pkcheck.c. These memory leaks allow a local attacker the ability to
"spray the heap", i.e. initialize large parts of the heap before
launching his attack.

The original attack uses a setuid binary, because the author "is giving
himself a break".

However, the fact that the binary in the example is setuid is orthogonal
to the fact that heap spraying is a very serious attack vector.

Bug reports are filed but closed WONTFIX. I think this is a mistake so I
would hope people could weigh in on this.

https://bugs.freedesktop.org/show_bug.cgi?id=99626
https://bugzilla.redhat.com/show_bug.cgi?id=1418278
https://bugzilla.redhat.com/show_bug.cgi?id=1418287

Thanks for your interest.

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research