Bugtraq mailing list archives
Re: [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG
From: Solar Designer <solar () openwall com>
Date: Sat, 21 Aug 2004 09:02:02 +0400
On Fri, Aug 20, 2004 at 03:24:53AM -0400, Jim Paris wrote:
Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidentional information.It's worse than that. You can essentially single-step through the library calls of a binary by turning on verbose debugging through LD_DEBUG and then carefully controlling stdout so that the program blocks while writing the debugging output. I've used this to exploit race conditions in setuid binaries that would otherwise be nearly impossible to trigger. Gentoo's method of adding LD_DEBUG to UNSECURE_ENVVARS will prevent this.
FWIW, this has been dealt with in Openwall GNU/*/Linux (Owl) before our project was first announced to the public 3+ years ago. ALT Linux is another (or the other?) distribution vendor which also dealt with this roughly 3 years ago. Our patch sets and replacements for the various packages are available for consideration and possible re-use by other distributions. The patches are easy to get without having to download the entire system - as a small tarball (only 1.5 MB gzipped) available on our FTP mirrors or from our public anoncvs and CVSweb servers: http://www.openwall.com/Owl/DOWNLOAD.shtml -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments
Current thread:
- [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG Kurt Lieber (Aug 17)
- Re: [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG Jim Paris (Aug 20)
- Re: [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG Solar Designer (Aug 21)
- Re: [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG Jim Paris (Aug 20)