[4941] in bugtraq
Re: KSR[T] Advisory #2: ld.so
daemon@ATHENA.MIT.EDU (Julian Assange)
Sun Jul 20 23:52:51 1997
Date: Sat, 19 Jul 1997 00:07:59 +1000
Reply-To: proff@SUBURBIA.NET
From: Julian Assange <proff@SUBURBIA.NET>
X-To: ksrt@DEC.NET
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.95.970717171131.7276A-100000@yoshiwara.dec.net> from
"KSR[T]" at "Jul 17, 97 05:15:21 pm"
> Affected Program: ld.so / ld-linux.so
>
> Problem Description: ld.so is the run-time linker used by dynamically linked
> executables(a.out). Inside the error reporting function
> there is a call to vsprintf, which doesn't check the size
> of the string it is storing in an automatic buffer.
>
> The ELF version of run-time linker(ld-linux.so) is
> vulnerable to an almost identical stack overwrite.
I discovered this attack over a year ago, so let me fill you in.
At that time the a.out ld.so was not vulnerable but ELF ld.so
definately was. Trigging the overflow required a resource starvation
attack on fd's, which was easily performed by setting system resource
consumption limits for file descriptors to an appropriately low value.
FreeBSD was not vulnerable to any ld.so attacks that I could
observe.
--
Prof. Julian Assange |If you want to build a ship, don't drum up people
|together to collect wood and don't assign them tasks
proff@iq.org |and work, but rather teach them to long for the endless
proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery
