Penetration Testing mailing list archives
Re: KEYWORDS: shared objects, dynamic linking,
From: Dave Aitel <daitel () atstake com>
Date: Sat, 20 Oct 2001 18:44:40 -0400
True. Although you can still do a lot of interesting things by unsetting suid bits and loading your own libraries to override specific functions. Sharefuzz (see www.atstake.com) does this for environment variables, which is still quite interesting on, say, Solaris, HP-UX, Irix, Tru64, but not very interesting on Linux or BSD. ;> Even better, you can override, say, xdr_string(), with Sharefuzz, and then just go through a normal transaction (say, just log into CDE and open a few programs so that ttdbserverd gets accessed a bit - but now every time it loads a string variable from the network (through xdr_string()) that string is a long string of %n's. When ttdbserverd crashes, you know you've found something worth really digging into. :> -dave Dom De Vitto wrote:
This was an old flaw, patched linkers ignore LD_* for setuid exe's... You've got the right idea though... Dom -----Original Message----- From: Aycan Irican [mailto:aycan () mars prosoft com tr] Sent: 20 October 2001 12:13 To: pen-test () securityfocus com Cc: vuln-dev () securityfocus com; mutty () prosoft com tr; aydin () prosoft com tr; evrim () envy com tr Subject: KEYWORDS: shared objects, dynamic linking, *** PGP Signature Status: unknown *** Signer: Unknown, Key ID = 0x2D002BBF *** Signed: 20/10/2001 12:13:30 *** Verified: 20/10/2001 23:00:13 *** BEGIN PGP VERIFIED MESSAGE *** Hi there, When I'm trying to understand how executables related to shared objects, some questions appeared in my mind(trap)... I'm giving some examples here from the UNIX side... 1. $ uname -a OpenUNIX feeddead 5 8.0.0 i386 x86at Caldera UNIX_SVR5 $ ls -al /usr/dt/bin/dtterm -r-sr-xr-x 1 root bin 60892 Jun 10 05:03 /usr/dt/bin/dtterm here dtterm is suid bit set. To see which shared objects it needs, $ ldd /usr/dt/bin/dtterm /usr/dt/bin/dtterm needs: libDtTerm.so.1 => /usr/dt/lib/libDtTerm.so.1 ....... /usr/lib/libc.so.1 it's dynamic section includes this, Dynamic Section: NEEDED libDtTerm.so.1 ...... RPATH /usr/dt/lib:/usr/lib ...... so when it runs, I'm understanding that say "first look /usr/dt/lib for loading libDtTerm.so.1". if it doesn't defined here I think I can overwrite the LD_LIBRARY_PATH environment so I could make this system to load MY OWN libDtTerm.so.1magically :) but in Linux side say /usr/X11R6/bin/xlock [aycan@mars doc]$ uname -a Linux deadbeef 2.4.12 #13D SMP Wed Oct 17 11:54:46 CEST 2001 i586 unknown [aycan@mars doc]$ ls -al /usr/X11R6/bin/xlock -r-sr-xr-x 1 root root 1406536 May 3 12:49 /usr/X11R6/bin/xlock I couldn't see any path when I looked at objdump output ...so I think I can export my LD_RUN_PATH variable to inject MY OWN libXpm.so.4 magically :) what I'm doing wrong here? is it possible to inject suspicious shared objects so suid program is compromised? any ideas? tnx... -- Aycan rican Systems Engineer Prosoft Communication Systems Ltd. Resit Galip Cad. 85/2 Gaziosmanpaa 06700 Ankara Tel:+90-312-446-6616 Fax:+90-312-446-2423 *** END PGP VERIFIED MESSAGE ***
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- KEYWORDS: shared objects, dynamic linking, Aycan Irican (Oct 20)
- Re: KEYWORDS: shared objects, dynamic linking, Sebastian Jaenicke (Oct 20)
- <Possible follow-ups>
- Re: KEYWORDS: shared objects, dynamic linking, Dave Aitel (Oct 20)