m.roth at 5-cent.us
2017-Feb-15 16:05 UTC
[CentOS] Serious attack vector on pkcheck ignored by Red Hat
Johnny Hughes wrote:> On 02/15/2017 09:37 AM, Leonard den Ottolander wrote: >> On Thu, 2017-02-09 at 15:27 -0700, Warren Young wrote: >>> So you?ve now sprayed the heap on this system, but you can?t uploadanything else to it because noexec, so?now what? What has our nefarious attacker gained?>> >> So the heap is set with data provided by the (local) attacker who couldinitialize it to his liking using either of the two memory leaks in the options parsing.>> >> The heap, that is entirely under the control of the attacker, nowcontains a call to a library with parameters such that it invokes a zero day kernel escalation privilege exploit. And now the exploit will run because pkcheck allowed the attacker to initialize its entire heap via the command line. <snip> I've skipped most of this thread, but went through this post, and excuse me if this sounds like a stupid question... but when the attacker runs their job, isn't it *THEIR* heap, one allocated for this PID, and not any other, such as the heap allocated for PID 1? mark
Seemingly Similar Threads
- Serious attack vector on pkcheck ignored by Red Hat
- Serious attack vector on pkcheck ignored by Red Hat
- Serious attack vector on pkcheck ignored by Red Hat
- Serious attack vector on pkcheck ignored by Red Hat
- Serious attack vector on pkcheck ignored by Red Hat
Wisdom of the Ancients
