Thank you very much!
I now understand things that I desperately want to know about hurd internal.
On November 2, 2021 6:31:17 PM GMT+02:00, Sergey Bugaev
wrote:
>Hello!
>
>As promised [0], here are the details of the Hurd vulnerabilities I have found
>earlier this year [1] [2].
>
>[0]: https://l
Fantastic work and writeup.
Apologies for interjecting here.
On Tue, Nov 2, 2021 at 6:54 PM Samuel Thibault
wrote:
> Hello,
>
> Thanks a lot for this writing! That'll surely be an interesting read for
> whoever wants to look a bit at the details of how the Hurd works. And of
> course thanks for
Hello,
Thanks a lot for this writing! That'll surely be an interesting read for
whoever wants to look a bit at the details of how the Hurd works. And of
course thanks for finding and fixing the vulnerabilities :)
Samuel
Hello!
As promised [0], here are the details of the Hurd vulnerabilities I have found
earlier this year [1] [2].
[0]: https://lists.gnu.org/archive/html/bug-hurd/2021-10/msg6.html
[1]: https://lists.gnu.org/archive/html/bug-hurd/2021-05/msg00079.html
[2]: https://lists.gnu.org/archive/html/bu
Short description
=
libports accepts fake notification messages from any client on any port, which
can lead to port use-after-free, which can be exploited for local privilege
escalation to get full root access to the system.
Background: Mach notifications
Hi,
El 2/11/21 a les 17:35, Samuel Thibault ha escrit:
Hello,
Thanks a lot for this writing! That'll surely be an interesting read for
whoever wants to look a bit at the details of how the Hurd works. And of
course thanks for finding and fixing the vulnerabilities :)
Yes, I'm gonna read it c
Short description
=
The use of authentication protocol in the proc server is vulnerable to
man-in-the-middle attacks, which can be exploited for local privilege escalation
to get full root access to the system.
Background: authentication
==
Here, the word
Short description
=
A single pager port is shared between anyone who mmaps a file, allowing anyone
to modify any files they can read. This can be trivially exploited to get full
root access to the system.
Background: Mach memory objects
===
Mach has t
Short description
=
When trying to exec a setuid executable, there's a window of time when the
process already has the new privileges, but still refers to the old task and is
accessible through the old process port. This can be exploited to get full root
access to the system.
Bac
