Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201103080046.20318.tmb@65535.com>
Date: Tue, 8 Mar 2011 00:46:05 +0000
From: Tim Brown <tmb@...35.com>
To: oss-security@...ts.openwall.com
Subject: Re: ldd can execute an app unexpectedly

On Tuesday 08 March 2011 00:00:11 Dmitry V. Levin wrote:

> In June of 2002, I suggested to change ldd to avoid invoking programs
> directly, even when it seems like that would work, and invoke the dynamic
> linker as a program instead.
> This change was implemented at least in Owl and ALT Linux:
> http://cvsweb.openwall.com/cgi/cvsweb.cgi/~checkout~/Owl/packages/glibc/gli
> bc-2.3.6-owl-alt-ldd.diff
> http://git.altlinux.org/gears/g/glibc.git?p=glibc.git;a=commitdiff;h=78857
> 7027d2950e9508a434475e04c3af864d169

A slight tangent to this but IIRC there was some suggestion that allowing files 
to be mapped to memory with execute permissions when called in this manner was 
something that should be considered a bug/feature to be fixed in order to bring 
ld.so in to line with how execution happens more generally.  I think Tavis or 
stealth mentioned it to me regarding the suggestion in my paper that an 
attacker could execute binaries in this manner to bypass situations when the 
binary didn't, for whatever reason have +x.  I guess it should be possible to 
fix both cases but it's something that needs to be considered.

Tim
-- 
Tim Brown
<mailto:tmb@...35.com>

Download attachment "signature.asc " of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.