Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

On my system, all SUID binaries are executable yet not readable, e.g.

  $ ls -l /bin/su
  -rws--x--x 1 root root 52144 Mar  5  2011 /bin/su
Doesn't this effectively stop the exploit? It still works when I insert the <exit@plt> function address, but I don't think it's possible to trace this without root rights, which kind of defeats the purpose.


It doesn't stop the exploit, as it is still possible to use ptrace to essentially dump the binary, even though it's not readable.


Or if you know the distro, it is trivial to get the package containing the su executable and locate the address.


I compiled it myself, so that is not an option.


Presumably they only need to guess the flags you used then. There is really not all that much entropy there.

And I suspect doing so is fairly uncommon in production environments anyway.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: