[16946] in bugtraq
Re: ld.so bug - LD_DEBUG_OUTPUT follows symlinks
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Thu Sep 28 13:22:58 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0009280150470.27469-100000@dione.ids.pl>
Date: Thu, 28 Sep 2000 01:58:14 +0200
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: Jakub Vlasek <jv@PILSEDU.CZ>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10009271148580.22869-100000@kronos>
On Wed, 27 Sep 2000, Jakub Vlasek wrote:
> [jv] ~/x export LD_DEBUG=libs LD_DEBUG_OUTPUT=/home/jv/x/debug
> [jv] ~/x ls -l
> -rw-rw-r-- 1 jv jv 308 Sep 27 11:40 debug.22810
> [jv] ~/x su
> (LD_DEBUG_OUTPUT ignored, data written to terminal)
> Password:
> [root] /home/jv/x ls -l
> -rw-rw-r-- 1 jv jv 308 Sep 27 11:40 debug.22810
> -rw-rw-r-- 1 root root 1850 Sep 27 11:41 debug.22812
> -rw-r--r-- 1 root root 374 Sep 27 11:41 debug.22819
> -rw-r--r-- 1 root root 308 Sep 27 11:41 debug.22820 <- can
> be symlink
...and all you need to make this attack work is local root password ;) In
fact, this problem does not affect setuid programs itself (because
LD_DEBUG_OUTPUT is ignored in this case), but affects programs spawned
from privledged programs after setuid(geteuid()) - in case privledges are
not dropped, but raised, and effective *id is equal to real *id. This
problem is similar to "unsetenv() fails to unset LD_PRELOAD" problem, and
does not affect any setuid program directly. Such way of calling programs
is quite uncommon (maybe except su, which is protected by password,
anyway), and is insecure for other reasons, as well. So, in general,
there's no reason to panic, unless you have some badly written setuid
crap.
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
