This is the 17th installment of The Rationalist, my column for the Times of India.

One of my favourite English words comes from chess. If it is your turn to move, but any move you make makes your position worse, you are in ‘Zugzwang’. Narendra Modi was in zugzwang after the Pulwama attacks a few days ago—as any Indian prime minister in his place would have been.

An Indian PM, after an attack for which Pakistan is held responsible, has only unsavoury choices in front of him. He is pulled in two opposite directions. One, strategy dictates that he must not escalate. Two, politics dictates that he must.

Let’s unpack that. First, consider the strategic imperatives. Ever since both India and Pakistan became nuclear powers, a conventional war has become next to impossible because of the threat of a nuclear war. If India escalates beyond a point, Pakistan might bring their nuclear weapons into play. Even a limited nuclear war could cause millions of casualties and devastate our economy. Thus, no matter what the provocation, India needs to calibrate its response so that the Pakistan doesn’t take it all the way.

It’s impossible to predict what actions Pakistan might view as sufficient provocation, so India has tended to play it safe. Don’t capture territory, don’t attack military assets, don’t kill civilians. In other words, surgical strikes on alleged terrorist camps is the most we can do.

Given that Pakistan knows that it is irrational for India to react, and our leaders tend to be rational, they can ‘bleed us with a thousand cuts’, as their doctrine states, with impunity. Both in 2001, when our parliament was attacked and the BJP’s Atal Bihari Vajpayee was PM, and in 2008, when Mumbai was attacked and the Congress’s Manmohan Singh was PM, our leaders considered all the options on the table—but were forced to do nothing.

But is doing nothing an option in an election year?

Leave strategy aside and turn to politics. India has been attacked. Forty soldiers have been killed, and the nation is traumatised and baying for blood. It is now politically impossible to not retaliate—especially for a PM who has criticized his predecessor for being weak, and portrayed himself as a 56-inch-chested man of action.

I have no doubt that Modi is a rational man, and knows the possible consequences of escalation. But he also knows the possible consequences of not escalating—he could dilute his brand and lose the elections. Thus, he is forced to act. And after he acts, his Pakistan counterpart will face the same domestic pressure to retaliate, and will have to attack back. And so on till my home in Versova is swallowed up by a nuclear crater, right?

Well, not exactly. There is a way to resolve this paradox. India and Pakistan can both escalate, not via military actions, but via optics.

Modi and Imran Khan, who you’d expect to feel like the loneliest men on earth right now, can find sweet company in each other. Their incentives are aligned. Neither man wants this to turn into a full-fledged war. Both men want to appear macho in front of their domestic constituencies. Both men are masters at building narratives, and have a pliant media that will help them.

Thus, India can carry out a surgical strike and claim it destroyed a camp, killed terrorists, and forced Pakistan to return a braveheart prisoner of war. Pakistan can say India merely destroyed two trees plus a rock, and claim the high moral ground by returning the prisoner after giving him good masala tea. A benign military equilibrium is maintained, and both men come out looking like strong leaders: a win-win game for the PMs that avoids a lose-lose game for their nations. They can give themselves a high-five in private when they meet next, and Imran can whisper to Modi, “You’re a good spinner, bro.”

There is one problem here, though: what if the optics don’t work?

If Modi feels that his public is too sceptical and he needs to do more, he might feel forced to resort to actual military escalation. The fog of politics might obscure the possible consequences. If the resultant Indian military action causes serious damage, Pakistan will have to respond in kind. In the chain of events that then begins, with body bags piling up, neither man may be able to back down. They could end up as prisoners of circumstance—and so could we.

***

Also check out:

Why Modi Must Learn to Play the Game of Chicken With Pakistan—Amit Varma
The Two Pakistans—Episode 79 of The Seen and the Unseen
India in the Nuclear Age—Episode 80 of The Seen and the Unseen

The India Uncut Blog © 2010 Amit Varma. All rights reserved.
Follow me on Twitter.

visit News18 Urdu for latest news, breaking news, news headlines and updates from Jalandhar on politics, sports, entertainment, cricket, crime and more.

visit News18 Urdu for latest news, breaking news, news headlines and updates from Balasore on politics, sports, entertainment, cricket, crime and more.

visit News18 Urdu for latest news, breaking news, news headlines and updates from Jalaun on politics, sports, entertainment, cricket, crime and more.

ઓપરેશન સમુદ્ર સેતુ: INS Jalashwa માલદીવથી 698 ફસાયેલા ભારતીયોને લઈ રવાના

કોરોના વાયરસ માત્ર લોકોનો માત્ર જીવ જ નથીલઈ રહ્યો પરંતુ તેની સાથે-સાથે આ મહામારી આર્થિક મંદીની પણ પરિસ્થિતિ પેદા કરી રહ્યો છે.

દેશભરમાં તેના 400 કર્મચારી છે, જેમાંથી 300 મુંબઈ મુખ્ય કાર્યાલયમાં કાર્યરત છે.

visit News18 Urdu for latest news, breaking news, news headlines and updates from Patiala on politics, sports, entertainment, cricket, crime and more.

visit News18 Urdu for latest news, breaking news, news headlines and updates from Dhalai District on politics, sports, entertainment, cricket, crime and more.

visit News18 Urdu for latest news, breaking news, news headlines and updates from Nalanda on politics, sports, entertainment, cricket, crime and more.

visit News18 Urdu for latest news, breaking news, news headlines and updates from Palamu on politics, sports, entertainment, cricket, crime and more.

visit News18 Urdu for latest news, breaking news, news headlines and updates from Changalang on politics, sports, entertainment, cricket, crime and more.

visit News18 Urdu for latest news, breaking news, news headlines and updates from Ambala on politics, sports, entertainment, cricket, crime and more.

visit News18 Urdu for latest news, breaking news, news headlines and updates from Balaghat on politics, sports, entertainment, cricket, crime and more.

visit News18 Urdu for latest news, breaking news, news headlines and updates from Tiruvannamalai on politics, sports, entertainment, cricket, crime and more.

visit News18 Urdu for latest news, breaking news, news headlines and updates from Jhalawar on politics, sports, entertainment, cricket, crime and more.

visit News18 Urdu for latest news, breaking news, news headlines and updates from Alapuzzha on politics, sports, entertainment, cricket, crime and more.

visit News18 Urdu for latest news, breaking news, news headlines and updates from Kapurthala on politics, sports, entertainment, cricket, crime and more.

visit News18 Urdu for latest news, breaking news, news headlines and updates from Balangir on politics, sports, entertainment, cricket, crime and more.

An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.

The Linux kernel failed to properly initialize some entries the proto_ops struct for several protocols, leading to NULL being derefenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits exist for this vulnerability, including spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. All Linux 2.4/2.6 versions since May 2001 are believed to be affected: 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4

Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privsec. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default.

This Metasploit module exploits a vulnerability in the FreeBSD kernel, when running on 64-bit Intel processors. By design, 64-bit processors following the X86-64 specification will trigger a general protection fault (GPF) when executing a SYSRET instruction with a non-canonical address in the RCX register. However, Intel processors check for a non-canonical address prior to dropping privileges, causing a GPF in privileged mode. As a result, the current userland RSP stack pointer is restored and executed, resulting in privileged code execution.

This Metasploit module exploits a vulnerability in the FreeBSD run-time link-editor (rtld). The rtld unsetenv() function fails to remove LD_* environment variables if __findenv() fails. This can be abused to load arbitrary shared objects using LD_PRELOAD, resulting in privileged code execution.

Qualys has discovered that OpenBSD suffers from multiple authentication bypass and local privilege escalation vulnerabilities.

Qualys discovered a local privilege escalation in OpenBSD's dynamic loader (ld.so). This vulnerability is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and yields full root privileges. They developed a simple proof of concept and successfully tested it against OpenBSD 6.6 (the current release), 6.5, 6.2, and 6.1, on both amd64 and i386; other releases and architectures are probably also exploitable.

This Metasploit module exploits a vulnerability in the OpenBSD ld.so dynamic loader (CVE-2019-19726). The _dl_getenv() function fails to reset the LD_LIBRARY_PATH environment variable when set with approximately ARG_MAX colons. This can be abused to load libutil.so from an untrusted path, using LD_LIBRARY_PATH in combination with the chpass set-uid executable, resulting in privileged code execution. This module has been tested successfully on OpenBSD 6.1 (amd64) and OpenBSD 6.6 (amd64).

Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch smtpd to new grammar") and allows an attacker to execute arbitrary shell commands, as root.

Microsoft Windows WizardOpium local privilege escalation exploit.

Microsoft Windows 10 SMB version 3.1.1 SMBGhost local privilege escalation exploit.

Microsoft Windows suffers from an NtFilterToken ParentTokenId incorrect setting that allows for elevation of privileges.

In Microsoft Windows, by using the poorly documented SE_SERVER_SECURITY Control flag it is possible to set an owner different to the caller, bypassing security checks.

This Metasploit module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:program fileshello.exe; The Windows API will try to interpret this as two possible paths: C:program.exe, and C:program fileshello.exe, and then execute all of them. To some software developers, this is an unexpected behavior, which becomes a security problem if an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM. Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the same problem.

Ubiquiti Networks UniFi Cloud Key with firmware versions 0.5.9 and 0.6.0 suffer from weak crypto, privilege escalation, and command injection vulnerabilities.

Zen Load Balancer version 3.10.1 suffers from a directory traversal vulnerability. This finding was originally discovered by Cody Sixteen.

Microsoft Windows 7 Build 7601 (x86) local privilege escalation exploit.

The Plantronics Hub client application for Windows makes use of an automatic update service SpokesUpdateService.exe which automatically executes a file specified in the MajorUpgrade.config configuration file as SYSTEM. The configuration file is writable by all users by default. This module has been tested successfully on Plantronics Hub version 3.13.2 on Windows 7 SP1 (x64). This Metasploit module has been tested successfully on Plantronics Hub version 3.13.2 on Windows 7 SP1 (x64).

The Windscribe VPN client application for Windows makes use of a Windows service WindscribeService.exe which exposes a named pipe \.pipeWindscribeService allowing execution of programs with elevated privileges. Windscribe versions prior to 1.82 do not validate user-supplied program names, allowing execution of arbitrary commands as SYSTEM. This Metasploit module has been tested successfully on Windscribe versions 1.80 and 1.81 on Windows 7 SP1 (x64).