Full Disclosure mailing list archives

Re: PaX privilege elevation security bug

From: Christophe Devine <devine () iie cnam fr>
Date: Sun, 13 Mar 2005 10:01:25 +0100

pageexec () freemail hu wrote:

it is definitely exploitable for local users,
remote exploitability depends on how much control
one can have over executable file mappings in the
target


Indeed, this flaw can be exploited locally via the page table
cache using the same technique from Paul Starzetz's mremap #2
exploit - there are probably other attack vectors though.

Attachment: paxomatic.c
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Current thread:

PaX privilege elevation security bug pageexec (Mar 04)
- <Possible follow-ups>
- Re: PaX privilege elevation security bug cyber_tal0n (Mar 07)
- Re: PaX privilege elevation security bug Christophe Devine (Mar 13)