RE: KEYWORDS: shared objects, dynamic linking,

From: Dom De Vitto (Dom@DeVitto.com)
Date: 10/21/01 

From: "Dom De Vitto" <Dom@DeVitto.com>
To: <aycan@prosoft.com.tr>, <pen-test@securityfocus.com>
Subject: RE: KEYWORDS: shared objects, dynamic linking, 
Date: Sat, 20 Oct 2001 23:02:10 +0100
Message-ID: <NDBBJOKICOHGIJLJDFEJGEOFDEAA.Dom@DeVitto.com>

This was an old flaw, patched linkers ignore LD_* for
setuid exe's...

You've got the right idea though...

Dom

-----Original Message-----
From: Aycan Irican [mailto:aycan@mars.prosoft.com.tr]
Sent: 20 October 2001 12:13
To: pen-test@securityfocus.com
Cc: vuln-dev@securityfocus.com; mutty@prosoft.com.tr;
aydin@prosoft.com.tr; evrim@envy.com.tr
Subject: KEYWORDS: shared objects, dynamic linking,

*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0x2D002BBF
*** Signed: 20/10/2001 12:13:30
*** Verified: 20/10/2001 23:00:13
*** BEGIN PGP VERIFIED MESSAGE ***

Hi there,
When I'm trying to understand how executables related to shared objects,
some
questions appeared in my mind(trap)...

I'm giving some examples here from the UNIX side...
1.
        $ uname -a
        OpenUNIX feeddead 5 8.0.0 i386 x86at Caldera UNIX_SVR5
        $ ls -al /usr/dt/bin/dtterm
        -r-sr-xr-x 1 root bin 60892 Jun 10 05:03
/usr/dt/bin/dtterm

here dtterm is suid bit set. To see which shared objects it needs,

        $ ldd /usr/dt/bin/dtterm
        /usr/dt/bin/dtterm needs:
                libDtTerm.so.1 => /usr/dt/lib/libDtTerm.so.1
                .......
                /usr/lib/libc.so.1

it's dynamic section includes this,
        Dynamic Section:
          NEEDED libDtTerm.so.1
                ......
          RPATH /usr/dt/lib:/usr/lib
                ......
so when it runs, I'm understanding that say "first look /usr/dt/lib for
loading libDtTerm.so.1".

if it doesn't defined here I think I can overwrite the LD_LIBRARY_PATH
environment so I could make this system to load MY OWN
libDtTerm.so.1magically :)

but in Linux side say /usr/X11R6/bin/xlock
        [aycan@mars doc]$ uname -a
        Linux deadbeef 2.4.12 #13D SMP Wed Oct 17 11:54:46 CEST 2001 i586 unknown
        [aycan@mars doc]$ ls -al /usr/X11R6/bin/xlock
        -r-sr-xr-x 1 root root 1406536 May 3 12:49 /usr/X11R6/bin/xlock

I couldn't see any path when I looked at objdump output ...so I think I can
export my LD_RUN_PATH variable to inject MY OWN libXpm.so.4 magically :)

what I'm doing wrong here?
is it possible to inject suspicious shared objects so suid program is
compromised?
any ideas?

tnx... 

--
Aycan rican
Systems Engineer
Prosoft Communication Systems Ltd.
Resit Galip Cad. 85/2 Gaziosmanpaa 06700 Ankara
Tel:+90-312-446-6616 Fax:+90-312-446-2423

*** END PGP VERIFIED MESSAGE ***

Quantcast