Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20140614155049.GG23102@port70.net>
Date: Sat, 14 Jun 2014 17:50:49 +0200
From: Szabolcs Nagy <nsz@...t70.net>
To: musl@...ts.openwall.com
Subject: Re: Binaries compiled with musl (1.1.2) are vulnerable to an
 ancient ldd exploit

* Steven Honeyman <stevenhoneyman@...il.com> [2014-06-14 16:35:25 +0100]:
> I noticed this by accident (ran ldd as usual without even thinking)...
> but if you compile with musl-gcc, and use shared instead of static,
> then ldd can cause different behaviour in the binary (code will
> execute). It is described here [1] from 2009, on how to modify uclibc
> to enable this behaviour... musl needs no mods to achieve this!

musl never had this problem by design

it's only the broken ldd of glibc that tries to execute the binary..

> $ echo 'void main() { puts("executed"); }' >lddtest.c
> $ musl-gcc lddtest.c && ldd ./a.out
> 
> Of course the exploit is only useable if you check for
> LD_TRACE_LOADED_OBJECTS and do something different in the code if it
> is set.

works here as expected

the environment variables the libc and loader cares about are
documented: http://www.musl-libc.org/doc/1.0.0/manual.html
(LD_TRACE_LOADED_OBJECTS is not listed there)

$ ldd
musl libc
Version 1.1.2-git-7-g66fcde4
Dynamic Program Loader
Usage: ldd [options] [--] pathname

$ ldd ./a.out 
        /lib/ld-musl-i386.so.1 (0xb76cd000)
        libc.so => /lib/ld-musl-i386.so.1 (0xb76cd000)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.