undefined | Better HN

0 pointsCGamesPlay3d ago0 comments

Proc title is very easily forged (without root even). Obviously a real privileged process could modify the kernel and do whatever it wants, but if I were trying to detect this I would start with /proc/$id/exe.

0 comments

Retr0id3d ago

/proc/pid/exe is also easily forged, without root. For example you can do LD_PRELOAD=evil.so /bin/foo on any dynamic executable, or spawn /bin/foo unmodified and inject code via ptrace or /proc/pid/mem.

I have a fileless, execless copyfail exploit that works by injecting shellcode directly into systemd's pid 1. (I should probably publish it at some point...)

jeffbee3d ago

Maybe, but there's a prctl to change that reference which a root process can use.

j / k navigate · click thread line to collapse

0 comments

Retr0id3d ago

I have a fileless, execless copyfail exploit that works by injecting shellcode directly into systemd's pid 1. (I should probably publish it at some point...)

jeffbee3d ago

Maybe, but there's a prctl to change that reference which a root process can use.

j / k navigate · click thread line to collapse