logoalt Hacker News

Local privilege escalation via execve()

160 pointsby Deeg9rie9usiyesterday at 8:31 PM80 commentsview on HN

Comments

Groxxtoday at 3:54 AM

    -     args->endp - args->begin_argv + consume);
    +     args->endp - (args->begin_argv + consume));
tbh I've considered simply banning math-operator-precedence in projects I work on, and requiring all mixed-operator code to use parenthesis or split to multiple statements. I do that myself, at least.

I've seen so many mistakes from it, and seen people spend so much pointless and avoidable time deciphering and verifying it, it really doesn't seem worth it (in most code) for the extremely minor character savings.

show 5 replies
cryptbeyesterday at 9:58 PM

Nice to randomly encounter our own work here.

Check out our blog post for a fun walkthrough: https://blog.calif.io/p/cve-2026-7270-how-i-get-root-on-free...

AI-generated working exploit, write-up and prompts: https://github.com/califio/publications/tree/main/MADBugs/fr...

tptacekyesterday at 10:02 PM

Calif is just killing it these past couple months. Reminder that Calif is Thai Duong's new firm.

show 1 reply
dnwtoday at 5:08 AM

A CVE for exeCVE()

show 1 reply
cyberpunkyesterday at 9:06 PM

This is from April 28th, it was patched in 15.0R-p7.

show 2 replies
wolvoleoyesterday at 10:08 PM

Oof that's a pretty big one, I didn't realise but I had already updated anyway.

0xbadcafebeetoday at 12:35 AM

  memmove(args->begin_argv + extend, args->begin_argv + consume,
      args->endp - args->begin_argv + consume);   // ← bug
C code like this is why we can't have nice things. Arithmetic operation in the arguments of a dangerous function call with no explicit bounds check.
show 1 reply
andrew_kwaktoday at 7:54 AM

[flagged]

rvzyesterday at 8:45 PM

> IV. Workaround

> No workaround is available.

Oh dear.

show 5 replies
doublerabbityesterday at 9:03 PM

Linux is on their second and FreeBSD is on their first. How many is Windows on?

show 2 replies