Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x

[lcamtuf () IDS PL (Michal Zalewski)]

On Wed, 25 Aug 1999, Michael K. Johnson wrote:

> Let's make sure we understand this correctly:
>
> #!/bin/sh
> /lib/ld-linux.so.2 "$@"
>
> is roughly equivalent to:
>
> #!/bin/sh
> file=$1
> shift
> cp $file /tmp
> /tmp/$file "$@"
> rm /tmp/$file

No, it isn't equivalent. Noone said /tmp is mounted with exec option. What
I'm trying to tell is that noexec is *NOT* a mechanism provided for
security reasons, and it's at least stupid to use it against hackers,
while a lot of administrators love restricting execution of custom
programs to prevent exploits, while this is the simpliest method (don't
even thinkin' about LD_PRELOAD and so on).

> And, of course, no one is capable of using mmap and PROT_EXEC to do
> their own ld-linux.so-like wrapper, especially since no one has the
> glibc source code to start from.  ;-)

If noone is capable of using his own programs, noone is capable of using
his own linker.

> It is unfortunate that people think that it is a security feature, and
> I will say that you have found one of the more interesting and subtle
> ways to show that it is not a security feature, but this is NOT a
> glibc bug.

Yep, yep, sorry, I didn't wanted to say it's a bug (and didn't said it ;),
I say that it is the simpliest way to bypass noexec and security by
obscurity stinks ;P

Regards,
_______________________________________________________________________
Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]