Re: /lib/ld-2.2.4.so

[Tompa Septimius Paul <subzero () xena utcluj ro>]

On Mon, 22 Apr 2002, Sabau Daniel wrote:

> or:
> lrwxrwxrwx    1 root     root           11 Apr 15 12:01 /lib/ld-linux.so.2
> -> ld-2.2.4.so
>
>       This file gives users the ability of running binaries on witch the
> user doesn't have the permission to execute, it is enough to have read
> ability on the file in order to execute it:
>
> -rwxr-xr--    1 root     root        45948 Aug  9  2001 /bin/ls
>
> but using the /lib/ld-2.2.4.so file i can execute the ls command:
>
> [08:51:36][draven@Zero:~]:$/lib/ld-2.2.4.so /bin/ls /
> bin   bzImage   bzImage3  bzImage5  dev  home    lib   mnt  proc  sbin
> usr
> boot  bzImage2  bzImage4  bzImage6  etc  initrd  misc  opt  root  tmp
> var
>
> i do not have root preveleges on this account:
>
> [08:51:38][draven@Zero:~]:$id
> uid=1000(draven) gid=10(wheel) groups=10(wheel),16(trust)
>
> The most interesting part is running binaries on partitions mounted with
> noexec, lets take this partition:
>
> /dev/sda9 on /home/friends type ext2
> (rw,noexec,nosuid,nodev,usrquota,grpquota)
>
> i've created a shell acount with the home directory:
>
> [mjj@Zero mjj]$ pwd
> /home/friends/mjj
>
> and wrote this C code in a file test.c
>
> #include <stdio.h>
> void main(void)
> {
>         printf ("Test");
> }
>
> i've compiled it & tryed to run:
>
> [mjj@Zero mjj]$ ./a.out
> bash: ./a.out: Permission denied
>
> but when i try to run it with /lib/ld-2.2.4.so:
>
> [mjj@Zero mjj]$ /lib/ld-2.2.4.so ./a.out
> Test
>
> the important thing is to include a full path in the binary name to be
> able to execute it.
> in the same way i've managed to run the ptrace exploit on a nosuid
> partition
> i'm running a 2.4.18 kernel with grsecurity-1.9.4 patch on a Red Hat
> Linux 7.2 box, but i've succeded running this file on different linux
> boxes and i've been succesfull, please if anyone know how to eliminate
> this hole in my security give me a replay. If i try to change the mode on
> /lib/ls-2.2.4.so to 700, the users will not be able to login on my linux
> box, so this is not a solution:)
>
> 10x,
> Dan Sabau
>
>
> --
>
>
> "From all the things I lost,
> My mind, I miss the most!"
>
> echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc
You may use some kernel library restriction it`s in grsecurity if i
remember right or you may use ACLs like the one from LIDS
Septy

--------------------------------------------------------------------------
                                .~.             Tompa Septimius Paul
    Don`t fear                  /V\           Network Administrator CFDP
        the                    // \\  Technical University of Cluj-Napoca
     PENGUIN !                /(   )\         Office Phone: 064-192072
                               ^^-^^           Home Phone: 091-903836

       I didn't know it was impossible
             when I did it.