oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: backdoor in upstream xz/liblzma leading to ssh server compromise

From: Andres Freund <andres () anarazel de>
Date: Sat, 30 Mar 2024 12:32:39 -0700
Hi,

On 2024-03-29 08:51:26 -0700, Andres Freund wrote:

To be able to resolve symbols in libraries that have not yet loaded, the
backdoor installs an audit hook into the dynamic linker, which can be observed
with gdb using
  watch _rtld_global_ro._dl_naudit
It looks like the audit hook is only installed for the main binary.


This is one aspect I've, somewhat surprisingly, not seen discussed.  From what
I can tell the rtld-audit infrastructure significantly weakens -z now -z
relro, by making it fairly easy for something loaded earlier to redirect
symbols in later libraries / the main binary.

Purely anecdotaly, I've not seen much use of rtld-audit. It's not implemented
in other linux libc implementations like musl, afaict.  Is it time to retire
rtld-audit, or at least to allow applications to opt out of it?

Greetings,

Andres Freund
Previous By Date Next
Previous By Thread Next

Current thread: