[476] in linux-security and linux-alert archive
Re: ld.so gaping hole.
daemon@ATHENA.MIT.EDU (SysAdmin - TNET Systems)
Wed Nov 8 23:35:59 1995
Date: Tue, 7 Nov 1995 14:04:41 -0600 (CST)
From: SysAdmin - TNET Systems <root@TNET.portage.net>
To: Joshua Cowan <jcowan@jcowan.reslife.okstate.edu>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199511070824.CAA30299@jcowan.reslife.okstate.edu>
On Tue, 7 Nov 1995, Joshua Cowan wrote:
> CG> I meant it will not fix the 'ld.so' hole. I don't think you
> CG> understand how big this hole is or how much of a problem it
> CG> is.
>
> This is correct, I don't understand how big this ``hole'' is or even
> where it is. ;-) I don't think you understand this feature's
> implementation, but that doesn't mean you don't. :-)
>
> CG> 'login', to gain access to this hole. This is what I am
> CG> trying to avoid. Any SUID binary on your system can be
> CG> exploited this way.
>
> It (the telnetd hole) has nothing to do with the binary being
> suid/sgid.
>
Aha! =) The answer comes to me:
I was using ld.so as distibuted in the slackware 2.3 package from tsx-11.
it was not doing the EUID/UID comfirmation. Thusly, I was able to gain
root as a non-root user, using any SUID binary.
Compiling ld.so 1.5.3 w/o any modications (as issued by Sunsite in the
package 'ld.so-1.5.3.tar.gz), I couldnot, any longer,gain root using
this method.
--- ld.so - 1.5.3 source snippet ---
/* hmm, you want your own path, do you? */
if (((cp = getenv("AOUT_LD_LIBRARY_PATH")) && *cp) ||
((cp = getenv("LD_LIBRARY_PATH")) && *cp))
{
uid_t uid = getuid();
if (uid && (uid != geteuid() || getgid() != getegid()))
{
/* sorry, Charlie, I can't let you do that */
*cp = '\0';
------------------------------------
So something was missing / wrong with this code in the ld.so for the
slackware 2.3 package, as it was, on
tsx-11.mit.edu/pub/linux/distibutions/slackware/* some 3 months ago.
My apologies for the alarm. Only SW 2.3 users need be worried.
BTW: tsx-11 no longer has 2.3 in the slackware directory. I believe
slackware 3.0 is there now.
NOTE: this should teach those of us that trust others' binaries to no
longer do so. I have long been advocate of this policy, however,
I made an exception for ld.so :/
Chad Giffin
TNET Information Systems, Canada
(204) 857-5754
cgiffin@portage.net
