|
Message-ID: <CAPLrYETux2yjsYJtg1mdB5UDiKLM52G3Yx8OHou5xKUxJB4Mkw@mail.gmail.com>
Date: Sat, 14 Jun 2014 17:51:43 +0200
From: Daniel Cegiełka <daniel.cegielka@...il.com>
To: musl@...ts.openwall.com
Subject: Re: Binaries compiled with musl (1.1.2) are vulnerable to an
ancient ldd exploit
musl checks suid/sgid
http://git.musl-libc.org/cgit/musl/tree/src/ldso/dynlink.c#n984
Daniel
2014-06-14 17:35 GMT+02:00 Steven Honeyman <stevenhoneyman@...il.com>:
> I noticed this by accident (ran ldd as usual without even thinking)...
> but if you compile with musl-gcc, and use shared instead of static,
> then ldd can cause different behaviour in the binary (code will
> execute). It is described here [1] from 2009, on how to modify uclibc
> to enable this behaviour... musl needs no mods to achieve this!
>
> Simple example:
>
> $ echo 'void main() { puts("executed"); }' >lddtest.c
> $ musl-gcc lddtest.c && ldd ./a.out
>
> Of course the exploit is only useable if you check for
> LD_TRACE_LOADED_OBJECTS and do something different in the code if it
> is set.
>
> Thanks,
> Steven.
>
> [1] http://www.catonmat.net/blog/ldd-arbitrary-code-execution/
>
Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.