Neat tricks! Sad that SMAP breaks them :(
-
-
-
Thanks! If there's a way to set some 8 byte kernel global variable from an unprivileged user, it could be used to bypass SMAP (by storing the pointer to the data you want to leak in this variable), but nothing really came to mind when I've been thinking about this
-
Yeah, having an unprivileged user store a kernel address on a global variable would resolve the whole problem. And I assume with heap spraying it would still be very hard to guess right
End of conversation
New conversation -
-
-
this bugged me during meltdown too: is there not some way to leverage arb kernel read primitive in linux directly into escalation of privilege through knowing some token or state of pool memory etc.? in windows just trivial security token read to get SYSTEM. no equiv for linux?
-
I don't know of an "easy" way to turn an arbitrary read into privileged code execution on either operating system. Just reading a SYSTEM token doesn't do very much. On Linux the obvious target is the disk cache, but still no simple path to root shell.
-
With Meltikatz at RSA,
@DAlperovitch showed how I was able to get the NTLM hashes from memory. -
Those, Kerberos tickets, or passwords would be the gold standard there.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.