Vulnerability Development mailing list archives
Re: /lib/ld-2.2.4.so
From: Marlon Jabbur <mjabbur () terra com br>
Date: Wed, 24 Apr 2002 17:07:07 -0300
I've tried in a Debian Woody box using /lib/ld-2.2.5.so and it worked. Marlon Tech Support wrote:
I tried this and it seemed to not work on my Linux system. I'm running both RedHat 7.1 and 6.0 -----Original Message----- From: Sabau Daniel [mailto:draven () UBBCluj Ro] Sent: Monday, April 22, 2002 2:44 AM To: vuln-dev () securityfocus com Cc: focus-linux () securityfocus com Subject: /lib/ld-2.2.4.so or: lrwxrwxrwx 1 root root 11 Apr 15 12:01 /lib/ld-linux.so.2 -> ld-2.2.4.so This file gives users the ability of running binaries on witch the user doesn't have the permission to execute, it is enough to have read ability on the file in order to execute it: -rwxr-xr-- 1 root root 45948 Aug 9 2001 /bin/ls but using the /lib/ld-2.2.4.so file i can execute the ls command: [08:51:36][draven@Zero:~]:$/lib/ld-2.2.4.so /bin/ls / bin bzImage bzImage3 bzImage5 dev home lib mnt proc sbin usr boot bzImage2 bzImage4 bzImage6 etc initrd misc opt root tmp var i do not have root preveleges on this account: [08:51:38][draven@Zero:~]:$id uid=1000(draven) gid=10(wheel) groups=10(wheel),16(trust) The most interesting part is running binaries on partitions mounted with noexec, lets take this partition: /dev/sda9 on /home/friends type ext2 (rw,noexec,nosuid,nodev,usrquota,grpquota) i've created a shell acount with the home directory: [mjj@Zero mjj]$ pwd /home/friends/mjj and wrote this C code in a file test.c #include <stdio.h> void main(void) { printf ("Test"); } i've compiled it & tryed to run: [mjj@Zero mjj]$ ./a.out bash: ./a.out: Permission denied but when i try to run it with /lib/ld-2.2.4.so: [mjj@Zero mjj]$ /lib/ld-2.2.4.so ./a.out Test the important thing is to include a full path in the binary name to be able to execute it. in the same way i've managed to run the ptrace exploit on a nosuid partition i'm running a 2.4.18 kernel with grsecurity-1.9.4 patch on a Red Hat Linux 7.2 box, but i've succeded running this file on different linux boxes and i've been succesfull, please if anyone know how to eliminate this hole in my security give me a replay. If i try to change the mode on /lib/ls-2.2.4.so to 700, the users will not be able to login on my linux box, so this is not a solution:) 10x, Dan Sabau -- "From all the things I lost, My mind, I miss the most!" echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc
Current thread:
- /lib/ld-2.2.4.so Sabau Daniel (Apr 22)
- RE: /lib/ld-2.2.4.so Tech Support (Apr 24)
- Re: /lib/ld-2.2.4.so Marlon Jabbur (Apr 24)
- Re: /lib/ld-2.2.4.so Eric Rostetter (Apr 24)
- Re: /lib/ld-2.2.4.so Olaf Kirch (Apr 24)
- Re: /lib/ld-2.2.4.so Bill Weiss (Apr 24)
- Re: /lib/ld-2.2.4.so Kurt Seifried (Apr 25)
- Re: /lib/ld-2.2.4.so Robert A. Seace (Apr 25)
- nobody suid shell (kind of relationship with the ld-2.2.4 thread...) Anibal Ambertin (Apr 26)
- Re: nobody suid shell (kind of relationship with the ld-2.2.4 thread...) c0n (Apr 26)
- Re: nobody suid shell (kind of relationship with the ld-2.2.4 thread...) Bill Weiss (Apr 26)
- Re: nobody suid shell (kind of relationship with the ld-2.2.4 thread...) Jim Nanney (Apr 26)
- Re: /lib/ld-2.2.4.so Bill Weiss (Apr 24)
- Re: /lib/ld-2.2.4.so Florian Weimer (Apr 26)
- RE: /lib/ld-2.2.4.so Tech Support (Apr 24)