Bugtraq mailing list archives
Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x
From: lcamtuf () IDS PL (Michal Zalewski)
Date: Mon, 5 Jul 1999 08:40:05 +0200
On Wed, 25 Aug 1999, Michael K. Johnson wrote:
Let's make sure we understand this correctly: #!/bin/sh /lib/ld-linux.so.2 "$@" is roughly equivalent to: #!/bin/sh file=$1 shift cp $file /tmp /tmp/$file "$@" rm /tmp/$file
No, it isn't equivalent. Noone said /tmp is mounted with exec option. What I'm trying to tell is that noexec is *NOT* a mechanism provided for security reasons, and it's at least stupid to use it against hackers, while a lot of administrators love restricting execution of custom programs to prevent exploits, while this is the simpliest method (don't even thinkin' about LD_PRELOAD and so on).
And, of course, no one is capable of using mmap and PROT_EXEC to do their own ld-linux.so-like wrapper, especially since no one has the glibc source code to start from. ;-)
If noone is capable of using his own programs, noone is capable of using his own linker.
It is unfortunate that people think that it is a security feature, and I will say that you have found one of the more interesting and subtle ways to show that it is not a security feature, but this is NOT a glibc bug.
Yep, yep, sorry, I didn't wanted to say it's a bug (and didn't said it ;), I say that it is the simpliest way to bypass noexec and security by obscurity stinks ;P Regards, _______________________________________________________________________ Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
Current thread:
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Andreas Jaeger (Aug 24)
- <Possible follow-ups>
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Olaf Kirch (Aug 25)
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Benjamin Smee (Aug 29)
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Michael K. Johnson (Aug 25)
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Michal Zalewski (Jul 04)
- [patch] ProFTPd remote root exploit Nic Bellamy (Aug 29)
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Michael K. Johnson (Aug 25)
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Michal Zalewski (Jul 04)
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Josip Rodin (Aug 25)
- Re: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x Chris Butler (Aug 28)