Based on an article that was mentioned on this list
https://googleprojectzero.blogspot.nl/2014/08/the-poisoned-nul-byte-2014-edition.html
I found two attacker controlled memory leaks in the option parsing of
pkcheck.c. These memory leaks allow a local attacker the ability to
"spray the heap", i.e. initialize large parts of the heap before
launching his attack.
The original attack uses a setuid binary, because the author "is giving
himself a break".
However, the fact that the binary in the example is setuid is orthogonal
to the fact that heap spraying is a very serious attack vector.
Bug reports are filed but closed WONTFIX. I think this is a mistake so I
would hope people could weigh in on this.
https://bugs.freedesktop.org/show_bug.cgi?id=99626
https://bugzilla.redhat.com/show_bug.cgi?id=1418278
https://bugzilla.redhat.com/show_bug.cgi?id=1418287
Thanks for your interest.
Regards,
Leonard.
--
mount -t life -o ro /dev/dna /genetic/research
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
