[CentOS] Serious attack vector on pkcheck ignored by Red Hat

Thu Feb 9 21:16:30 UTC 2017
John R Pierce <pierce at hogranch.com>

On 2/9/2017 1:03 PM, Leonard den Ottolander wrote:
> Not necessarily. Suppose the adversary is aware of a root
> exploit/privilege escalation in a random library. Then the heap spraying
> allows this attacker to easily trigger this exploit because he is able
> to initialize the entire contents of the heap to his liking and thus
> call whatever function he likes, including the one that will cause the
> root exploit.

if the adversary is aware of this exploit and has a login (required to 
invoke pkexec in the first place), they can simply execute a C program 
to invoke it, they don't need to mess about with what you're describing.




-- 
john r pierce, recycling bits in santa cruz