Re: Privilege scalation with GNU ld dlopen

[Mike Patterson <mike () snowcrash ca>]

On 10-11-09 11:19 AM, Xavier Garcia wrote:
> One should be safe because users need admin rights to write
> there, but playing with setuid binaries is always dangerous.

Well, sure.  But I think Nicholas' point was that your escalation ...
isn't really such, given that on any unixy system, you need to go to
great lengths to allow normal users to write to /lib.  If I can write to
/lib in order to implement your answer to "how do I escalate privileges
with Tavis' exploit," I think that system already has a serious issue,
one that goes beyond "it's got a vulnerable version of glibc installed."

> This could be enforced by implementing a 'secure level' in the
> kernel, but then the maintenance of the system could be a
> nightmare. Imagine having to reboot a critical server just
> because the 'secure level' must be desabled in order to
> install patches :)

I don't just imagine it, I've done it.  If that's what it takes, then
that's what it takes.  Your definition of critical may vary from mine
though, and mine was the FreeBSD implementation, so I could install
_some_ patches without rebooting.

Your point about playing with setuid binaries is dangerous is well
taken, but I'm not sure that I see how it applies given your proposed
solution.  Putting yourself into a situation where normal users can
write to /lib is significantly more dangerous.

Mike
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com