Has anybody read the Huge Dirty COW writeup?
Can we also shmem files using THP and achieve the same result as Dirty COW, privileged access to files?
Asked
Active
Viewed 537 times
0
-
the blog has a comment section at the bottom – schroeder Nov 30 '17 at 16:37
-
`Our POC demonstrates overwriting the huge zero page. Overwriting shmem should be equally possible and would lead to an alternative exploit path.` – forest Dec 01 '17 at 03:17
-
Based on https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000405 "This bug is not as severe as the original 'Dirty cow' because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP)". So my question is, it it is possible to overwrite regular files? And what are shmem files? – dev Dec 04 '17 at 10:17
-
OK so I guess it works only in "/proc/self/fd/" filesystem ..... however in Bindecy doc they mention memfd_create function, so wondering how can I tap into already created resource, to modify privileged memory allocation – dev Dec 04 '17 at 11:01
-
i guess with shmat ... now the question is how to find valueable sealed shmem .... any ideas for practical exploitation anyone? what could the practical exploitation scenario look like – dev Dec 04 '17 at 11:23