Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201103071827.05353.sgrubb@redhat.com>
Date: Mon, 7 Mar 2011 18:27:05 -0500
From: Steve Grubb <sgrubb@...hat.com>
To: oss-security@...ts.openwall.com
Subject: ldd can execute an app unexpectedly

Hello,

After reading the thread about logrotate and the revelation that sometimes CVEs are 
assigned because of admin bad practices, I wanted to ask about the ldd program. 

What do you do when you find an unexpected app on a system? First you might query your 
package manager to see what it might be. If that fails, then what do you do? You might 
run the file program against it to see what kind of file it might be. Then you might run 
strings to see what kinds of hints you might get based on the strings stored inside 
it. You might also run ldd to see what kinds of things it links against for more 
clues. That last step can get you pwned.

 http://reverse.lostrealm.com/protect/ldd.html
 http://www.catonmat.net/blog/ldd-arbitrary-code-execution/

Besides telling everyone don't do that. ldd could take the PoV that it should only 
call runtime linkers in trusted directories like /sbin or /usr/sbin. Or it could 
simply detect that another linker was requested and make you add a "--force" so that 
you are fully aware that you just let another linker run. (The suggested patch can 
certainly be improved. But its here just in case you want it.)

-Steve



test.c:
#include <stdio.h>
int main(void)
{
        printf("Hello World\n");
        return 0;
}

$ gcc -static -static-libgcc -Wl,-static test.c -o testbin
$ gcc -Wl,-dynamic-linker=$(pwd)/testbin test.c -o testtrap
$ ldd ./testtrap 



--- ldd.orig    2010-04-22 10:29:52.000000000 -0400
+++ ldd 2010-04-22 10:32:10.000000000 -0400
@@ -31,6 +31,7 @@
 warn=
 bind_now=
 verbose=
+force=0
 
 while test $# -gt 0; do
   case "$1" in
@@ -49,6 +50,7 @@
       --help              print this help and exit
       --version           print version information and exit
   -d, --data-relocs       process data relocations
+  -f, --force             allow non-standard dynamic linkers
   -r, --function-relocs   process data and function relocations
   -u, --unused            print unused direct dependencies
   -v, --verbose           print all information
@@ -63,6 +65,10 @@
     warn=yes
     shift
     ;;
+  -f | --f | --fo | --for | --forc | --force )
+    force=1
+    shift
+    ;;
   -r | --f | --fu | --fun | --func | --funct | --functi | --functio | \
   --function | --function- | --function-r | --function-re | --function-rel | 
\
   --function-relo | --function-reloc | --function-relocs)
@@ -172,6 +178,13 @@
       # If the program exits with exit code 5, it means the process has been
       # invoked with __libc_enable_secure.  Fall back to running it through
       # the dynamic linker.
+      if [ -x /usr/bin/eu-readelf ] ; then
+        interp="`/usr/bin/eu-readelf -l $file | grep interpreter | tr '[]' ' ' 
| awk '{ print $4 }'`"
+        if [ "x$interp" != "x" -a $force -eq 0 ] ; then
+          echo "Non-standard dynamic linker is requested: $interp"
+          exit 1
+        fi
+      fi
       try_trace "$file"
       rc=$?
       if [ $rc = 5 ]; then

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.