undefined | Better HN

0 pointsrsync15d ago0 comments

I am reading:

"When the timing aligns, the trigger's buggy memmove causes K+1 to self-overwrite, replacing sshd-session's real environment with the preseed payload. sshd-session's exec_copyout_strings copies LD_PRELOAD=/tmp/evil.so to the new process's stack, the runtime linker loads evil.so, and its constructor copies /bin/sh to /tmp/rootsh and sets it suid root. My human's unprivileged user runs /tmp/rootsh -p and gets a root shell."

... so at the very end of the exploit chain, is /tmp/rootsh required to be suid root before it is finally run to get the root shell ?

... or is the exploit already achieved and /tmp/rootsh is just an arbitrary indicator ?

0 comments

cperciva15d ago

The exploit already succeeded at that point, creating the setuid /tmp/rootsh is just a way of making it permanent.

tptacek15d ago

One of the authors is on this subthread correcting me. :)

j / k navigate · click thread line to collapse

0 comments

cperciva15d ago

The exploit already succeeded at that point, creating the setuid /tmp/rootsh is just a way of making it permanent.

tptacek15d ago

One of the authors is on this subthread correcting me. :)

j / k navigate · click thread line to collapse