mailing list archives
Re: KSR[T] Advisory #2: ld.so
From: proff () SUBURBIA NET (Julian Assange)
Date: Sat, 19 Jul 1997 00:07:59 +1000
Affected Program: ld.so / ld-linux.so
Problem Description: ld.so is the run-time linker used by dynamically linked
executables(a.out). Inside the error reporting function
there is a call to vsprintf, which doesn't check the size
of the string it is storing in an automatic buffer.
The ELF version of run-time linker(ld-linux.so) is
vulnerable to an almost identical stack overwrite.
I discovered this attack over a year ago, so let me fill you in.
At that time the a.out ld.so was not vulnerable but ELF ld.so
definately was. Trigging the overflow required a resource starvation
attack on fd's, which was easily performed by setting system resource
consumption limits for file descriptors to an appropriately low value.
FreeBSD was not vulnerable to any ld.so attacks that I could
Prof. Julian Assange |If you want to build a ship, don't drum up people
|together to collect wood and don't assign them tasks
proff () iq org |and work, but rather teach them to long for the endless
proff () gnu ai mit edu |immensity of the sea. -- Antoine de Saint Exupery
- Re: KSR[T] Advisory #2: ld.so Julian Assange (Jul 18)