[willvarfar]

> the loader can allow part of that application's data segment to map over the memory area reserved for its stack resulting in corruption of the stack, with possible privilege escalation

So if you can craft and execute an executable, and you can write to things that you already have write access to, how does that result in a privilege escalation?

If you could overlap with things you shouldn't be able to access, e.g. your kernel stack, then that makes sense. But how does being able to overlap your own user-space result in you being able to do anything you previously couldn't?

[bennofs]

You can exploit existing binaries such as ping that have special capabilities or are setuid to get privilege escalation.

A better link would have been https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-... which also explains an actual exploit.

[willvarfar]

Fair enough.

(But e.g. ping doesn't >128MB .data+.bss? ;) )

[bennofs]

The article also explains this. It seems to be possible to get a much smaller distance if you eat up a lot of stack space using large execve arguments for example (this might be wrong, I haven't 100% understood all details yet). But the article has a POC for ping.

[saurik]

It seems like the idea is that if you pass a very large number of arguments to the process you can force the size of the initial stack to be sufficiently large as to trigger this bug with extremely high probability even on binaries where you otherwise would not have expected the issue; like: it isn't a bug that is being exploited by a weird executable file, it is a true bug in the kernel that can be coaxed to mess with random PIE binaries to gain access to their setuid user access of special capability bits.

[mfukar]

https://www.qualys.com/2017/06/19/stack-clash/stack-clash.tx... might help understand the exploitation method.