[4967] in bugtraq
Re: Solaris ld.so possibly vulnerable?
daemon@ATHENA.MIT.EDU (Casper Dik)
Tue Jul 22 10:10:56 1997
Date: Tue, 22 Jul 1997 11:47:28 +0200
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 21 Jul 1997 22:43:02 +0300."
<199707211943.WAA11293@lune.math.tau.ac.il>
>As for the existance of a stack overrun condition similar to the one
>in Linux in the Solaris ld.so, I do not believe this to be the case.
>
>The bug the program you posted triggers is indeed becasue of a call to
>strcpy(), however the buffers in question are not on the stack but are
>malloc()ed during run time. (There are some cases where ld.so first calls
>strlen() to determine how much memory to ask malloc() for, if I remember
>correctly; obviously, the particular instance you've discovered is not one
>of those).
The bug is in a routine that formats error messages into a dynamically allocated
buffer.
SInce the buffer will live after the program's data segment, the _iob
(stdioflow) trick won't work on it.
Also, when applied to a set-uid/set-gid program it isn't possible to
force an ld.so error using LD_PRELOAD (ignored) or many of the
other LD_ variables; they're mostly ignored)
However, in some versions of Solaris such errors are generated by the
implementation of dynamically loadable functionality and on such systems
you can crash set-uid executables.
Casper
