Re: Breaking the links: Exploiting the linker

[Jamie Nguyen <dyscoria () gmail com>]

Tim Brown <timb@...> writes:

> In the interests of a thorough peer review I'd be curious what people think of 
> the following paper I've been working on Linux and POSIX linkers:
>
> http://www.nth-dimension.org.uk/downloads.php?id=77
>
> A previous revision has already been reviewed but constructive criticism is 
> always useful.  There are some sections that I have removed whilst I wait on  
> vendors but I'm particularly interested in feedback on pertinent references or 
> threats that I may have missed.  As per the abstract, the aim of the paper 
> wasn't to claim everything as my own but rather to document as much about the 
> current state of art as possible.
>
> Tim

Hi,

I am somewhat unknowledgeable about the whole linking process, but I was testing 
out the execution of a file using ld on a filesystem mounted with noexec. I 
followed the example you gave of copying the '/usr/bin/id' executable to a user 
writeable directory and removing the executable bit.

After removing the executable bit, I was still able to execute this on a normal 
filesystem using /lib/ld-linux-x86_64.so.2 but on a filesystem mounted with 
noexec this method did not work.

You suggest in the article:

"...if you're mounting devices with noexec the you should probably ensure that 
they [sic] the runtime linker can't be executed either."

Forgive me if I am being dim, because from what I can see, mounting with noexec 
seems to solve the issue of using ld-linux-x86-64.so.2 to execute non-executable 
files.

I notice in your example that you are using eglibc. I am testing with glibc, so 
perhaps this is the reason?


Kind regards

Jamie