Home page logo

pen-test logo Penetration Testing mailing list archives

KEYWORDS: shared objects, dynamic linking,
From: Aycan Irican <aycan () mars prosoft com tr>
Date: Sat, 20 Oct 2001 14:13:23 +0300

Hash: SHA1

Hi there,
When I'm trying to understand how executables related to shared objects, some 
questions appeared in my mind(trap)...

I'm giving some examples here from the UNIX side...
        $ uname -a
        OpenUNIX feeddead 5 8.0.0 i386 x86at Caldera UNIX_SVR5
        $ ls -al /usr/dt/bin/dtterm
        -r-sr-xr-x    1 root     bin           60892 Jun 10 05:03 /usr/dt/bin/dtterm

here dtterm is suid bit set. To see which shared objects it needs,

        $ ldd /usr/dt/bin/dtterm
        /usr/dt/bin/dtterm needs:
                libDtTerm.so.1 => /usr/dt/lib/libDtTerm.so.1

it's dynamic section includes this,
        Dynamic Section:
          NEEDED      libDtTerm.so.1
          RPATH       /usr/dt/lib:/usr/lib
so when it runs, I'm understanding that say "first look /usr/dt/lib for 
loading libDtTerm.so.1".

if it doesn't defined here I think I can overwrite the LD_LIBRARY_PATH 
environment so I could make this system to load MY OWN 
libDtTerm.so.1magically :)

but in Linux side say /usr/X11R6/bin/xlock
        [aycan () mars doc]$ uname -a
        Linux deadbeef 2.4.12 #13D SMP Wed Oct 17 11:54:46 CEST 2001 i586       unknown
        [aycan () mars doc]$ ls -al /usr/X11R6/bin/xlock
        -r-sr-xr-x   1 root     root      1406536 May  3 12:49 /usr/X11R6/bin/xlock

I couldn't see any path when I looked at objdump output ...so I think I can 
export my LD_RUN_PATH variable to inject MY OWN libXpm.so.4 magically :)

what I'm doing wrong here?
is it possible to inject suspicious shared objects so suid program is 
any ideas?

- -- 
Aycan ─░rican
Systems Engineer
Prosoft Communication Systems Ltd.
Resit Galip Cad. 85/2 Gaziosmanpa┼ča 06700 Ankara
Tel:+90-312-446-6616 Fax:+90-312-446-2423
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]