[453] in linux-security and linux-alert archive
ld.so gaping hole.
daemon@ATHENA.MIT.EDU (SysAdmin - TNET Systems)
Mon Nov 6 15:35:36 1995
Date: Mon, 6 Nov 1995 07:17:37 -0600 (CST)
From: SysAdmin - TNET Systems <root@TNET.portage.net>
To: linux-security@tarsier.cv.nrao.edu
Ok folks, listen up...
the telnetd hole was minor, because anyone could use the
LD_LIBRARY_PATH and LD_PRELOAD to get root with just about anything.
patching login, telnetd, ect ect is not going to fix this problem.
You have to start at the source. ld.so
All it took, was two lines of preprocessor code in the source file ld.so.c
No huge patches, ect. The following describes the course of action I
took:
1) got myself the source to ld.so 1.5.3
2) commented out the environment variable(s) checks
by using a #ifndef __BIG_HOLE__, #endif
Specificly: LD_LIBRARY_PATH and LD_PRELOAD were commented out.
3) recompiled and installed ld.so while defining __BIG_HOLE__
LD_PRELOAD, LD_LIBRARY_PATH are really not needed. If you are going to
use them, rename them, hash the names up in the ld.so binary (evade
strings), or use some sort of protocol for specifying them.
For example, modify the ld.so.c file to search for a special char, of your
choosing, in the environment variables. If not present, ignore the
variables.
So not only to you get to save disk space (although nominal) over
adding patches, or wrappers... you get an even much more securer system.
Why was this not mentioned previously ?
It took me 5 minutes to patch/compile/install the new ld.so
(not counting the fact that I had gotten previously the source to an ELF
ld.so when I am a.out :/ 1.7.3 is elf, and elf only. For a.out users,
use 1.5.3)
Special thanks to Medulla for the idea and assitance behind this one.
Chad Giffin
TNET Information Systems
Canada
cgiffin@portage.net
(204) 857-5754
