Home page logo

bugtraq logo Bugtraq mailing list archives

Re: KSR[T] Advisory #2: ld.so
From: proff () SUBURBIA NET (Julian Assange)
Date: Sat, 19 Jul 1997 00:07:59 +1000

Affected Program:    ld.so / ld-linux.so

Problem Description: ld.so is the run-time linker used by dynamically linked
                     executables(a.out).  Inside the error reporting function
                     there is a call to vsprintf, which doesn't check the size
                     of the string it is storing in an automatic buffer.

                     The ELF version of run-time linker(ld-linux.so) is
                     vulnerable to an almost identical stack overwrite.

I discovered this attack over a year ago, so let me fill you in.
At that time the a.out ld.so was not vulnerable but ELF ld.so
definately was. Trigging the overflow required a resource starvation
attack on fd's, which was easily performed by setting system resource
consumption limits for file descriptors to an appropriately low value.

FreeBSD was not vulnerable to any ld.so attacks that I could

Prof. Julian Assange  |If you want to build a ship, don't drum up people
                      |together to collect wood and don't assign them tasks
proff () iq org          |and work, but rather teach them to long for the endless
proff () gnu ai mit edu  |immensity of the sea. -- Antoine de Saint Exupery

  By Date           By Thread  

Current thread:
  • Re: KSR[T] Advisory #2: ld.so Julian Assange (Jul 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]