that's what Big POSIX wants you to think pal
Ohhh I had no idea about hwcaps! This is great! That is the way to solve this problem.
I have a conspiracy theory, unsupported by facts, that Richard Stallman secretly invented POSIX as a way to get the proprietary UNIX vendors to waste time on something whose only value was to make it easier for folks to…
I think .init_array is too late in the game. ifunc lets you hijack the loader, because it is sort of like a plugin or dynamic config for the loader itself. Everything should be loaded and resolved by the point that…
You may well be right about this! What I genuinely don't understand then, is why Jia Tan relied on ifunc rather than POSIX constructors. Seems like that would have been easier and more widely applicable, right?
I don't have any secret information! Folks were giving me a hard time about claiming that ifunc is central to this attack, and I would genuinely find it valuable to know that Jia Tan could have (for example) performed…
I've updated the post and am offering $500 if you can pull this attack off without ifunc.
Take my money!!
I take your meaning, but I think a threat actor targeting a system without IFUNC would be delighted if it suddenly showed up. It's like finding a website with a file upload form that purposefully supports ../ in paths.
[dead]
I do not think the OpenSSH folks are at fault! I was trying to drive the point that OpenSSH was forced to work in an environment that is very, very different from where it is primarily developed. I don't think the…
> The game was lost as soon as the attacker had arbitrary code installed in a semi-common library. That is not quite true! You still have to get the code to be executed. I can call dlopen on a malicious library, load it…
that's what Big POSIX wants you to think pal
Ohhh I had no idea about hwcaps! This is great! That is the way to solve this problem.
I have a conspiracy theory, unsupported by facts, that Richard Stallman secretly invented POSIX as a way to get the proprietary UNIX vendors to waste time on something whose only value was to make it easier for folks to…
I think .init_array is too late in the game. ifunc lets you hijack the loader, because it is sort of like a plugin or dynamic config for the loader itself. Everything should be loaded and resolved by the point that…
You may well be right about this! What I genuinely don't understand then, is why Jia Tan relied on ifunc rather than POSIX constructors. Seems like that would have been easier and more widely applicable, right?
I don't have any secret information! Folks were giving me a hard time about claiming that ifunc is central to this attack, and I would genuinely find it valuable to know that Jia Tan could have (for example) performed…
I've updated the post and am offering $500 if you can pull this attack off without ifunc.
Take my money!!
I take your meaning, but I think a threat actor targeting a system without IFUNC would be delighted if it suddenly showed up. It's like finding a website with a file upload form that purposefully supports ../ in paths.
[dead]
I do not think the OpenSSH folks are at fault! I was trying to drive the point that OpenSSH was forced to work in an environment that is very, very different from where it is primarily developed. I don't think the…
> The game was lost as soon as the attacker had arbitrary code installed in a semi-common library. That is not quite true! You still have to get the code to be executed. I can call dlopen on a malicious library, load it…