Leonard den Ottolander
2017-Feb-02 14:22 UTC
[CentOS] Serious attack vector on pkcheck ignored by Red Hat
Based on an article that was mentioned on this list https://googleprojectzero.blogspot.nl/2014/08/the-poisoned-nul-byte-2014-edition.html I found two attacker controlled memory leaks in the option parsing of pkcheck.c. These memory leaks allow a local attacker the ability to "spray the heap", i.e. initialize large parts of the heap before launching his attack. The original attack uses a setuid binary, because the author "is giving himself a break". However, the fact that the binary in the example is setuid is orthogonal to the fact that heap spraying is a very serious attack vector. Bug reports are filed but closed WONTFIX. I think this is a mistake so I would hope people could weigh in on this. https://bugs.freedesktop.org/show_bug.cgi?id=99626 https://bugzilla.redhat.com/show_bug.cgi?id=1418278 https://bugzilla.redhat.com/show_bug.cgi?id=1418287 Thanks for your interest. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research
John R Pierce
2017-Feb-02 14:40 UTC
[CentOS] Serious attack vector on pkcheck ignored by Red Hat
On 2/2/2017 6:22 AM, Leonard den Ottolander wrote:> However, the fact that the binary in the example is setuid is orthogonal > to the fact that heap spraying is a very serious attack vector.without privilege escalation, what does it attack ? -- john r pierce, recycling bits in santa cruz
Leonard den Ottolander
2017-Feb-02 14:51 UTC
[CentOS] Serious attack vector on pkcheck ignored by Red Hat
On Thu, 2017-02-02 at 06:40 -0800, John R Pierce wrote:> On 2/2/2017 6:22 AM, Leonard den Ottolander wrote: > > However, the fact that the binary in the example is setuid is orthogonal > > to the fact that heap spraying is a very serious attack vector. > > without privilege escalation, what does it attack ?pkcheck might not be directly vulnerable. However, pkexec is. Closing these bugs because pkcheck might not be directly vulnerable also stops pkexec from being fixed. And pkexec clearly is vulnerable. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research