Bugtraq mailing list archives
Re: Does the shared lib bug work on any suid program ?
From: jc () irbs com (John Capo)
Date: Fri, 3 Nov 1995 18:00:13 -0500
Bernd Lehle writes:
Hi there, after all the fuzz about the telnet/shared lib stuff somebody here came up with something that might be even more interesting: What woul hapen in the following case: - Choose any suid program, that uses a library call, You know the name - example: su calls crypt(3) - take the library that contains crypt and delete crypt from it - add a crypt function that does exec(sh) - rebuild the shared library with the new cypt - set the shared library path to Your home - su Right after the Password was typed in, You should have a root shell... This game could be played with any suid program, where You know what routines it calls. Or am I missing something ?
FreeBSD does this in ld.so: /* Get user and group identifiers */ uid = getuid(); euid = geteuid(); gid = getgid(); egid = getegid(); careful = (uid != euid) || (gid != egid); if (careful) { unsetenv("LD_LIBRARY_PATH"); unsetenv("LD_PRELOAD"); } This works unless the suid program is run with root as the real user as is the case for telnetd. I would hope that all ld.so and equivalents would take a similar precaution otherwise your scenario is completely valid. John Capo jc () irbs com IRBS Engineering High performance FreeBSD systems (305) 792-9551 Internet Consulting - ISP Solutions
Current thread:
- Re: SunOS syslog() fix, finally..., (continued)
- Re: SunOS syslog() fix, finally... Brett Lymn (Nov 13)
- ufsrestore suid root not a security hole Sean Vickery (Nov 16)
- Re: SunOS syslog() fix, finally... Casper Dik (Nov 17)
- SGI Security Advisory 19951101 - telnetd SGI Security Coordinator (Nov 17)
- SGI Security Advisory 19951101 - telnetd : UPDATE SGI Security Coordinator (Nov 17)
- Re: SunOS syslog() fix, finally... Pug (Nov 10)
- Turning dynamic into static? Lawrence R. Rogers (Nov 09)
- Re: Telnet attack on SGI Adam Shostack (Nov 02)
- Does the shared lib bug work on any suid program ? Bernd Lehle (Nov 03)
- Re: Does the shared lib bug work on any suid program ? Fred Blonder (Nov 03)
- Re: Does the shared lib bug work on any suid program ? John Capo (Nov 03)
- Re: Does the shared lib bug work on any suid program ? Justin Mason (Nov 06)
- a point is being missed *Hobbit* (Nov 03)
- Re: a point is being missed Scott Barman (Nov 03)
- Re: a point is being missed John Stewart (Nov 03)
- Re: a point is being missed Douglas Siebert (Nov 03)
- Re: a point is being missed Richard Todd (Nov 04)
- Re: a point is being missed Casper Dik (Nov 04)
- Re: Telnet attack on SGI Edwin Kremer (Nov 09)
- Re: Telnet attack on SGI Edwin Kremer (Nov 10)
- Re: Telnet attack on SGI Sam Hartman (Nov 01)