Re: ldd can execute an app unexpectedly

[Tim Brown <tmb () 65535 com>]

On Tuesday 08 March 2011 00:00:11 Dmitry V. Levin wrote:

> In June of 2002, I suggested to change ldd to avoid invoking programs
> directly, even when it seems like that would work, and invoke the dynamic
> linker as a program instead.
> This change was implemented at least in Owl and ALT Linux:
> http://cvsweb.openwall.com/cgi/cvsweb.cgi/~checkout~/Owl/packages/glibc/gli
> bc-2.3.6-owl-alt-ldd.diff
> http://git.altlinux.org/gears/g/glibc.git?p=glibc.git;a=commitdiff;h=78857
> 7027d2950e9508a434475e04c3af864d169

A slight tangent to this but IIRC there was some suggestion that allowing files 
to be mapped to memory with execute permissions when called in this manner was 
something that should be considered a bug/feature to be fixed in order to bring 
ld.so in to line with how execution happens more generally.  I think Tavis or 
stealth mentioned it to me regarding the suggestion in my paper that an 
attacker could execute binaries in this manner to bypass situations when the 
binary didn't, for whatever reason have +x.  I guess it should be possible to 
fix both cases but it's something that needs to be considered.

Tim
-- 
Tim Brown
<mailto:tmb () 65535 com>

Attachment: signature.asc
Description: This is a digitally signed message part.