Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: KEYWORDS: shared objects, dynamic linking,
From: Dave Aitel <daitel () atstake com>
Date: Sat, 20 Oct 2001 18:44:40 -0400

True. Although you can still do a lot of interesting things by unsetting suid bits and
loading your own libraries to override specific functions. Sharefuzz (see www.atstake.com)
does this for environment variables, which is still quite interesting on, say, Solaris,
HP-UX, Irix, Tru64, but not very interesting on Linux or BSD. ;>

Even better, you can override, say, xdr_string(), with Sharefuzz, and then just go through
a normal transaction (say, just log into CDE and open a few programs so that ttdbserverd
gets accessed a bit - but now every time it loads a string variable from the network
(through xdr_string()) that string is a long string of %n's. When ttdbserverd crashes, you
know you've found something worth really digging into. :>

-dave


Dom De Vitto wrote:

This was an old flaw, patched linkers ignore LD_* for
setuid exe's...

You've got the right idea though...

Dom

-----Original Message-----
From: Aycan Irican [mailto:aycan () mars prosoft com tr]
Sent: 20 October 2001 12:13
To: pen-test () securityfocus com
Cc: vuln-dev () securityfocus com; mutty () prosoft com tr;
aydin () prosoft com tr; evrim () envy com tr
Subject: KEYWORDS: shared objects, dynamic linking,

*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0x2D002BBF
*** Signed: 20/10/2001 12:13:30
*** Verified: 20/10/2001 23:00:13
*** BEGIN PGP VERIFIED MESSAGE ***

Hi there,
When I'm trying to understand how executables related to shared objects,
some
questions appeared in my mind(trap)...

I'm giving some examples here from the UNIX side...
1.
        $ uname -a
        OpenUNIX feeddead 5 8.0.0 i386 x86at Caldera UNIX_SVR5
        $ ls -al /usr/dt/bin/dtterm
        -r-sr-xr-x    1 root     bin           60892 Jun 10 05:03
/usr/dt/bin/dtterm

here dtterm is suid bit set. To see which shared objects it needs,

        $ ldd /usr/dt/bin/dtterm
        /usr/dt/bin/dtterm needs:
                libDtTerm.so.1 => /usr/dt/lib/libDtTerm.so.1
                .......
                /usr/lib/libc.so.1

it's dynamic section includes this,
        Dynamic Section:
          NEEDED      libDtTerm.so.1
                ......
          RPATH       /usr/dt/lib:/usr/lib
                ......
so when it runs, I'm understanding that say "first look /usr/dt/lib for
loading libDtTerm.so.1".

if it doesn't defined here I think I can overwrite the LD_LIBRARY_PATH
environment so I could make this system to load MY OWN
libDtTerm.so.1magically :)

but in Linux side say /usr/X11R6/bin/xlock
        [aycan () mars doc]$ uname -a
        Linux deadbeef 2.4.12 #13D SMP Wed Oct 17 11:54:46 CEST 2001 i586       unknown
        [aycan () mars doc]$ ls -al /usr/X11R6/bin/xlock
        -r-sr-xr-x   1 root     root      1406536 May  3 12:49 /usr/X11R6/bin/xlock

I couldn't see any path when I looked at objdump output ...so I think I can
export my LD_RUN_PATH variable to inject MY OWN libXpm.so.4 magically :)

what I'm doing wrong here?
is it possible to inject suspicious shared objects so suid program is
compromised?
any ideas?

tnx...
--
Aycan rican
Systems Engineer
Prosoft Communication Systems Ltd.
Resit Galip Cad. 85/2 Gaziosmanpaa 06700 Ankara
Tel:+90-312-446-6616 Fax:+90-312-446-2423

*** END PGP VERIFIED MESSAGE ***


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]