[11597] in bugtraq
Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Mon Aug 30 07:59:28 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <lcamtuf.4.05.9907050825220.680-100000@nimue.ids.pl>
Date: Mon, 5 Jul 1999 08:40:05 +0200
Reply-To: Michal Zalewski <lcamtuf@IDS.PL>
From: Michal Zalewski <lcamtuf@IDS.PL>
X-To: "Michael K. Johnson" <johnsonm@REDHAT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199908251644.MAA01197@tristan.devel.redhat.com>
On Wed, 25 Aug 1999, Michael K. Johnson wrote:
> Let's make sure we understand this correctly:
>
> #!/bin/sh
> /lib/ld-linux.so.2 "$@"
>
> is roughly equivalent to:
>
> #!/bin/sh
> file=$1
> shift
> cp $file /tmp
> /tmp/$file "$@"
> rm /tmp/$file
No, it isn't equivalent. Noone said /tmp is mounted with exec option. What
I'm trying to tell is that noexec is *NOT* a mechanism provided for
security reasons, and it's at least stupid to use it against hackers,
while a lot of administrators love restricting execution of custom
programs to prevent exploits, while this is the simpliest method (don't
even thinkin' about LD_PRELOAD and so on).
> And, of course, no one is capable of using mmap and PROT_EXEC to do
> their own ld-linux.so-like wrapper, especially since no one has the
> glibc source code to start from. ;-)
If noone is capable of using his own programs, noone is capable of using
his own linker.
> It is unfortunate that people think that it is a security feature, and
> I will say that you have found one of the more interesting and subtle
> ways to show that it is not a security feature, but this is NOT a
> glibc bug.
Yep, yep, sorry, I didn't wanted to say it's a bug (and didn't said it ;),
I say that it is the simpliest way to bypass noexec and security by
obscurity stinks ;P
Regards,
_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
