[2352] in bugtraq
Re: Does the shared lib bug work on any suid program ?
daemon@ATHENA.MIT.EDU (John Capo)
Fri Nov 3 21:32:24 1995
Date: Fri, 3 Nov 1995 18:00:13 -0500
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: John Capo <jc@irbs.com>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199511031307.OAA00824@visbl.rus.uni-stuttgart.de> from "Bernd
Lehle" at Nov 3, 95 02:07:56 pm
Bernd Lehle writes:
>
> Hi there,
>
> after all the fuzz about the telnet/shared lib stuff somebody here came up
> with something that might be even more interesting:
>
> What woul hapen in the following case:
>
> - Choose any suid program, that uses a library call, You know the name
> - example: su calls crypt(3)
> - take the library that contains crypt and delete crypt from it
> - add a crypt function that does exec(sh)
> - rebuild the shared library with the new cypt
> - set the shared library path to Your home
> - su
>
> Right after the Password was typed in, You should have a root shell...
>
> This game could be played with any suid program, where You know what routines
> it calls.
>
> Or am I missing something ?
>
FreeBSD does this in ld.so:
/* Get user and group identifiers */
uid = getuid(); euid = geteuid();
gid = getgid(); egid = getegid();
careful = (uid != euid) || (gid != egid);
if (careful) {
unsetenv("LD_LIBRARY_PATH");
unsetenv("LD_PRELOAD");
}
This works unless the suid program is run with root as the real
user as is the case for telnetd. I would hope that all ld.so and
equivalents would take a similar precaution otherwise your scenario
is completely valid.
John Capo jc@irbs.com
IRBS Engineering High performance FreeBSD systems
(305) 792-9551 Internet Consulting - ISP Solutions
