Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

RE: KEYWORDS: shared objects, dynamic linking,

From: "Dom De Vitto" <Dom () DeVitto com>
Date: Sat, 20 Oct 2001 23:02:10 +0100
This was an old flaw, patched linkers ignore LD_* for
setuid exe's...

You've got the right idea though...

Dom

-----Original Message-----
From: Aycan Irican [mailto:aycan () mars prosoft com tr]
Sent: 20 October 2001 12:13
To: pen-test () securityfocus com
Cc: vuln-dev () securityfocus com; mutty () prosoft com tr;
aydin () prosoft com tr; evrim () envy com tr
Subject: KEYWORDS: shared objects, dynamic linking,



*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0x2D002BBF
*** Signed: 20/10/2001 12:13:30
*** Verified: 20/10/2001 23:00:13
*** BEGIN PGP VERIFIED MESSAGE ***

Hi there,
When I'm trying to understand how executables related to shared objects,
some
questions appeared in my mind(trap)...

I'm giving some examples here from the UNIX side...
1.
        $ uname -a
        OpenUNIX feeddead 5 8.0.0 i386 x86at Caldera UNIX_SVR5
        $ ls -al /usr/dt/bin/dtterm
        -r-sr-xr-x    1 root     bin           60892 Jun 10 05:03
/usr/dt/bin/dtterm

here dtterm is suid bit set. To see which shared objects it needs,

        $ ldd /usr/dt/bin/dtterm
        /usr/dt/bin/dtterm needs:
                libDtTerm.so.1 => /usr/dt/lib/libDtTerm.so.1
                .......
                /usr/lib/libc.so.1

it's dynamic section includes this,
        Dynamic Section:
          NEEDED      libDtTerm.so.1
                ......
          RPATH       /usr/dt/lib:/usr/lib
                ......
so when it runs, I'm understanding that say "first look /usr/dt/lib for
loading libDtTerm.so.1".

if it doesn't defined here I think I can overwrite the LD_LIBRARY_PATH
environment so I could make this system to load MY OWN
libDtTerm.so.1magically :)

but in Linux side say /usr/X11R6/bin/xlock
        [aycan@mars doc]$ uname -a
        Linux deadbeef 2.4.12 #13D SMP Wed Oct 17 11:54:46 CEST 2001 i586       unknown
        [aycan@mars doc]$ ls -al /usr/X11R6/bin/xlock
        -r-sr-xr-x   1 root     root      1406536 May  3 12:49 /usr/X11R6/bin/xlock

I couldn't see any path when I looked at objdump output ...so I think I can
export my LD_RUN_PATH variable to inject MY OWN libXpm.so.4 magically :)

what I'm doing wrong here?
is it possible to inject suspicious shared objects so suid program is
compromised?
any ideas?

tnx...
--
Aycan rican
Systems Engineer
Prosoft Communication Systems Ltd.
Resit Galip Cad. 85/2 Gaziosmanpaa 06700 Ankara
Tel:+90-312-446-6616 Fax:+90-312-446-2423

*** END PGP VERIFIED MESSAGE ***
Previous By Date Next
Previous By Thread Next

Current thread: