Re: /lib/ld-2.2.4.so

[Bill Weiss <houdini () nmt edu>]

Sabau Daniel(draven () UBBCluj Ro)@Mon, Apr 22, 2002 at 09:43:32AM +0300:
--snip--
> the important thing is to include a full path in the binary name to be 
> able to execute it.
> in the same way i've managed to run the ptrace exploit on a nosuid 
> partition
> i'm running a 2.4.18 kernel with grsecurity-1.9.4 patch on a Red Hat 
> Linux 7.2 box, but i've succeded running this file on different linux 
> boxes and i've been succesfull, please if anyone know how to eliminate 
> this hole in my security give me a replay. If i try to change the mode on 
> /lib/ls-2.2.4.so to 700, the users will not be able to login on my linux 
> box, so this is not a solution:)

That's an odd problem.

On one hand, it's bad that it "executes" things on a noexec partition.

On the other, the file that is executing is ld-*, and it's just reading
in a file and executing the contents.  This is how it has to work, so
it's not as simple as just not doing that.

Something to note:
It ignores SUID bits.  This is good.

Given that the program (library, whatever) is doing what's intended, there's
not an obvious fix.  It could check to make sure you have execute access
to the file, but I think that would break things.

If you're running a shell, it's probably time to move past the simple
restrictions of noexec and nosuid.

-- 
Bill Weiss