The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[linux-security] Another ld-linux.so problem


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
X-RDate: Mon, 09 Feb 1998 11:25:31 +0500 (ESK)
Date: Sat, 7 Feb 1998 03:41:04 -0300
From: Solar Designer <solar@FALSE.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: [linux-security] Another ld-linux.so problem

Hello,

There's another problem in ld-linux.so (and the a.out linker ld.so, too):
it is possible to trick the linker into loading old version of a library
if several versions are installed. This means that if you have upgraded
your libc (or libdb, etc) after a security hole was discovered, updated
/etc/ld.so.cache with ldconfig, and made sure the new version is used,
it still might be possible for an attacker to force a setuid binary into
using your old vulnerable version of the library, if you haven't removed
it from the directories scanned by ldconfig.

The problem is that ldconfig adds all versions of a library into the cache,
and the linker itself doesn't give up if an error occurs. Normally the
latest version is listed first, and it's the only one used. However, we
can consume up the resources, so that the linker fails to load the latest
version, and then free some resources before it tries to load an older one.
This is similar to the stuff Rafal Wojtczuk was explaining here recently
(actually, his post reminded me of this problem).

Here's how to check for this problem:

host:/lib# ls -l libc.so.5.4.*
-rwxr-xr-x   1 root     root      1861963 Mar 24  1997 libc.so.5.4.23*
-rwxr-xr-x   1 bin      bin       1849257 Aug 27 23:52 libc.so.5.4.38*
host:/lib# chmod 700 libc.so.5.4.38
host:/lib# ldd /bin/ls
        libc.so.5 => /lib/libc.so.5.4.38 (0x119000)
host:/lib# su user
host:/lib$ ldd /bin/ls
        libc.so.5 => /lib/libc.so.5.4.23 (0x119000)

The obvious fix would be to remove (chmod 0 is enough, chmod 700 isn't) all
old versions after upgrading. The real fix would be either to patch the
linker so it gives up on some errors (probably check for errno != ENOENT),
or change the way shared library packages install themselves, in all Linux
distributions that are affected.

Signed,
Solar Designer

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру