Local privilege escalation via execve()

Original Article ↗ Hacker News Discussion ↗

Scope and Practical Impact

  • Advisory states “no workaround,” which several commenters find troubling, especially for systems where immediate reboot is hard.
  • Others argue production systems should always be prepared for short-notice reboots and that upgrade+reboot is standard for serious kernel bugs.
  • Some suggest that any machine with regular non-admin logins should be treated as potentially compromised and architected accordingly.

Multi-user Threat Models & Use Cases

  • Debate over how common multi-user Unix boxes still are:
    • Some say they no longer run systems where untrusted users have shell access.
    • Others point to universities, research clusters, and shared hosting (web hosting, science clusters) as heavily multi-user and very exposed to LPEs.
  • Distinction drawn between VM-level isolation (VPS) and traditional shared shells/users on the same kernel.

Exploit Mechanics and SUID Question

  • Vulnerability is a buffer issue in execve(), not tied to SUID binaries specifically.
  • Clarification: you need execve to run as root (e.g., via sshd or similar), but not necessarily via a setuid binary.
  • The exploit overwrites the environment (e.g., injecting LD_PRELOAD), backdoors sshd, and then creates a persistent SUID-root shell; the SUID step is after root is already obtained.

Patch Status & Versioning

  • Bug introduced in newer FreeBSD 13-derived code; older versions without the consume logic in kern_exec.c are reported as unaffected.
  • Advisory indicates it was patched in recent 15.0-RELEASE patch levels; for those tracking updates, it may already be “two reboots ago.”

C Coding Practices and memmove Bug

  • Core bug is incorrect pointer arithmetic in a memmove length calculation.
  • Long subthread critiques:
    • Complex expressions and operator precedence in C.
    • Preference for explicit parentheses, breaking expressions into variables, and avoiding duplicated subexpressions.
    • Comparisons to languages that flatten or eliminate precedence rules.

AI-Generated Exploit & Meta Discussion

  • Linked write-up and PoC were produced with heavy AI assistance.
  • Mixed reactions: some impressed by the quality; others push back on phrasing that credits the tool rather than the human prompt/oversight.