Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Does the shared lib bug work on any suid program ?

From: jc () irbs com (John Capo)
Date: Fri, 3 Nov 1995 18:00:13 -0500

Bernd Lehle writes:


Hi there,

after all the fuzz about the telnet/shared lib stuff somebody here came up
with something that might be even more interesting:

What woul hapen in the following case:

- Choose any suid program, that uses a library call, You know the name
- example: su calls crypt(3)
- take the library that contains crypt and delete crypt from it
- add a crypt function that does exec(sh)
- rebuild the shared library with the new cypt
- set the shared library path to Your home
- su

Right after the Password was typed in, You should have a root shell...

This game could be played with any suid program, where You know what routines
it calls.

Or am I missing something ?



FreeBSD does this in ld.so:

        /* Get user and group identifiers */
        uid = getuid(); euid = geteuid();
        gid = getgid(); egid = getegid();

        careful = (uid != euid) || (gid != egid);

        if (careful) {
                unsetenv("LD_LIBRARY_PATH");
                unsetenv("LD_PRELOAD");
        }

This works unless the suid program is run with root as the real
user as is the case for telnetd.  I would hope that all ld.so and
equivalents would take a similar precaution otherwise your scenario
is completely valid.


John Capo                                                   jc () irbs com
IRBS Engineering                       High performance FreeBSD systems
(305) 792-9551                      Internet Consulting - ISP Solutions
Previous By Date Next
Previous By Thread Next

Current thread: