Full Disclosure: DLL hijacking on Linux

[Tim Brown <timb () nth-dimension org uk>]

All,

If you've seen the recent Microsoft advisory.  I put together a nice post on a 
similar DLL hijacking issue that affects Linux (and other POSIX-alikes).  You 
can read the full details on my blog (http://www.nth-
dimension.org.uk/blog.php?id=87) but the key point is that an empty directory 
specification statement in LD_LIBRARY_PATH, PATH (and probably others) is 
equivalent to $CWD.  That is to say that LD_LIBRARY_PATH=":/lib" is equivalent 
to LD_LIBRARY_PATH=".:/lib".  It can occur when a script has 
LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/lib" or similar and LD_LIBRARY_PATH hasn't 
previously been defined.  It's worth checking for this kind of thing in scripts 
that may be run via sudo/su when auditing hosts.  I don't believe it's a 
vulnerability per se, but particular instances of broken scripts may well be.

Tim  
-- 
Tim Brown
<mailto:timb () nth-dimension org uk>
<http://www.nth-dimension.org.uk/>

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/