Part 7/12:

This timing attack exploits a window where the setuid binaries are temporarily active in a mounted filesystem—allowing an attacker to run root-level commands without proper authorization.

Achieving Root Access

In practice, the attacker performs the following:

• Creates an XFS filesystem image containing a setuid version of Bash or another root-privileged binary.

• Mounts this image on the target system, deliberately keeping it mounted via a busy-wait loop.

• Transfers the malicious setuid binary into the mounted filesystem.

• Executes the binary during the fleeting window when it’s active, thereby gaining root privileges.