On Fri, Nov 16, 2012 at 12:35:46PM +0000, Julian Yon wrote: > > Meanwhile, if you can own the other end to the point where you can > > open an executable file containing code you supplied and pass it down > > an existing socket connection, you've already done arbitrary code > > execution. If the other end is a W^X chroot, that's not supposed to be > > possible; if the other end isn't chrooted you've probably already won. > > The spec only requires that the file only needs to be open for reading. > The calling process needs to have permission to execute the file, but > in Thor's scenario the process that opens the FD doesn't.
That is clearly broken, then. -- David A. Holland dholl...@netbsd.org
