Johnny Hughes wrote:
> On 02/15/2017 09:37 AM, Leonard den Ottolander wrote:
>> On Thu, 2017-02-09 at 15:27 -0700, Warren Young wrote:
>>> So you’ve now sprayed the heap on this system, but you can’t upload
anything else to it because noexec, so…now what? What has our
nefarious attacker gained?
>>
>> So the heap is set with data provided by the (local) attacker who could
initialize it to his liking using either of the two memory leaks in the
options parsing.
>>
>> The heap, that is entirely under the control of the attacker, now
contains a call to a library with parameters such that it invokes a
zero day kernel escalation privilege exploit. And now the exploit will
run because pkcheck allowed the attacker to initialize its entire heap
via the command line.
<snip>
I've skipped most of this thread, but went through this post, and excuse
me if this sounds like a stupid question... but when the attacker runs
their job, isn't it *THEIR* heap, one allocated for this PID, and not any
other, such as the heap allocated for PID 1?
mark