On Fri, Jan 16, 2026 at 12:10 PM Shawn Webb <shawn.webb@hardenedbsd.org> wrote:
On Thu, Jan 15, 2026 at 11:03:48PM -0500, David Higgs wrote:
> On Thu, Jan 15, 2026 at 2:28 PM <fro@disciples.com> wrote:
>
> > It looks like the author of these has posted an updated POC of the W^X
> > break script since the start of this thread.
> >
> > Here:
> > https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/issues/107#note_47812
> >
> > Quoting, they say this:
> >
> > "I have seen on openbsd-misc that people are rightfully claiming this
> > break does not work on OpenBSD due to pinsyscalls. That said, this is only
> > because I was lazy when writing the poc, this break has otherwise nothing
> > to do with pinsyscalls. Also note this break works regardless of whether
> > the executable memory was mapped MAP_PRIVATE or MAP_SHARED. Below is an
> > update poc that pops a shell despite pinsyscalls on OpenBSD using a simple
> > libc trampoline"
> >
> > I can also confirm that this works as they say.
>
>
> The first, previously-linked example does not make any syscalls between the
> two stack pivots. MAP_STACK is enforced at the kernel syscall boundary.
> Note the "exploit" didn't work when it made a printf (write) call after
> only one stack pivot.
>
> The second example demonstrates lazy-loading of file-backed mmap content.
> Pinsyscalls is not involved because all syscalls are still made through
> libc. Note the file is truncated before the mmap. What do you think is
> present in the mmap'd buffer before the write+close?
>
> There is no privilege escalation in either case. The burglar is already
> inside the house.
> https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31283
Hey David,
I can't seem to find where the original author (Ali Polatel) claimed
his techniques were that of a privesc nature. Can you point me to
where privilege escalation was claimed by the original author?
I didn't see that exact phrasing, but I think the point still stands. An attacker with this level of control shouldn't need these techniques to gain access to the system - they already have it.
--david
No comments:
Post a Comment