On Aug 22, 2013, at 11:45 AM, Jakub Zawadzki <[email protected]> wrote:
> Security issue: > http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html Exploiting a combination of 1) JIT-equipped BPF's ability to put safe-but-still-somewhat-controllable code into the kernel under userland command; 2) x86's non-fixed-length instructions, so that if safe code also contains a byte sequence that corresponds to unsafe code, you can jump to that byte sequence; 3) UNIX-domain sockets' requirement to keep a sent file descriptor open (and thus to keep around everything attached to the FD, including a BPF filter) even if you close the socket yourself, so you can create a lot of instances of the JITted code without running out of FDs in your process; 4) some existing exploit that lets you control where the kernel jumps to; to let you put Bad Code into enough locations that it's not *too* hard to find where it is and then go there. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
