Does this vulnerability not rely on SUID binaries?

cperciva · 2026-05-09T22:46:50 1778366810

I don't think so? It's a buffer overflow in the system call.

tptacek · 2026-05-09T23:24:36 1778369076

I just read that it was spilling into argv or something and assumed the vector was somehow injecting arguments or something.

cperciva · 2026-05-09T23:53:07 1778370787

The exploit is injecting environment variables, but yes, close enough. You need someone to call execve as root in order to become root, but you don't need a setuid binary.

rsync · 2026-05-10T19:51:13 1778442673

I am reading:

"When the timing aligns, the trigger's buggy memmove causes K+1 to self-overwrite, replacing sshd-session's real environment with the preseed payload. sshd-session's exec_copyout_strings copies LD_PRELOAD=/tmp/evil.so to the new process's stack, the runtime linker loads evil.so, and its constructor copies /bin/sh to /tmp/rootsh and sets it suid root. My human's unprivileged user runs /tmp/rootsh -p and gets a root shell."

... so at the very end of the exploit chain, is /tmp/rootsh required to be suid root before it is finally run to get the root shell ?

... or is the exploit already achieved and /tmp/rootsh is just an arbitrary indicator ?

cperciva · 2026-05-11T02:20:58 1778466058

The exploit already succeeded at that point, creating the setuid /tmp/rootsh is just a way of making it permanent.

tptacek · 2026-05-10T21:18:55 1778447935

One of the authors is on this subthread correcting me. :)

cryptbe · 2026-05-10T05:52:30 1778392350

Nope. Try the PoC on macOS:

https://github.com/califio/publications/blob/main/MADBugs/fr...

The script downloads and sets up FreeBSD on QEMU, then runs the exploit.

The exploit is very smart: https://github.com/califio/publications/blob/main/MADBugs/fr.... It basically backdoors sshd.