Remix clone Hacker News

new | show | ask | jobs Github

	▲	hashstring 2 hours ago
		Eh, if you can pollute page caches this won’t safe you. Think modifying shared libraries, ld preload, cron, I guess on some systems /etc/passwd even. There are a lot of files readable that should definitely not be writable.
	▲	rkeene2 an hour ago \| parent [-]
		Fair enough -- a simpler change might be to poison /etc/passwd and call `su` to a user that has uid 0, since that requires no shell code nor a readable binary, and this seems to have worked in a slightly modified POC: `f=g.open("/etc/passwd",0); e="rkeene:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash\n".encode() ... g.system("/run/wrappers/bin/su - rkeene")`