Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

KEYWORDS: shared objects, dynamic linking,

From: Aycan Irican <aycan () mars prosoft com tr>
Date: Sat, 20 Oct 2001 14:13:23 +0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there,
When I'm trying to understand how executables related to shared objects, some 
questions appeared in my mind(trap)...

I'm giving some examples here from the UNIX side...
1.
        $ uname -a
        OpenUNIX feeddead 5 8.0.0 i386 x86at Caldera UNIX_SVR5
        $ ls -al /usr/dt/bin/dtterm
        -r-sr-xr-x    1 root     bin           60892 Jun 10 05:03 /usr/dt/bin/dtterm

here dtterm is suid bit set. To see which shared objects it needs,

        $ ldd /usr/dt/bin/dtterm
        /usr/dt/bin/dtterm needs:
                libDtTerm.so.1 => /usr/dt/lib/libDtTerm.so.1
                .......
                /usr/lib/libc.so.1

it's dynamic section includes this,
        Dynamic Section:
          NEEDED      libDtTerm.so.1
                ......
          RPATH       /usr/dt/lib:/usr/lib
                ......
so when it runs, I'm understanding that say "first look /usr/dt/lib for 
loading libDtTerm.so.1".

if it doesn't defined here I think I can overwrite the LD_LIBRARY_PATH 
environment so I could make this system to load MY OWN 
libDtTerm.so.1magically :)

but in Linux side say /usr/X11R6/bin/xlock
        [aycan@mars doc]$ uname -a
        Linux deadbeef 2.4.12 #13D SMP Wed Oct 17 11:54:46 CEST 2001 i586       unknown
        [aycan@mars doc]$ ls -al /usr/X11R6/bin/xlock
        -r-sr-xr-x   1 root     root      1406536 May  3 12:49 /usr/X11R6/bin/xlock

I couldn't see any path when I looked at objdump output ...so I think I can 
export my LD_RUN_PATH variable to inject MY OWN libXpm.so.4 magically :)

what I'm doing wrong here?
is it possible to inject suspicious shared objects so suid program is 
compromised?
any ideas?

tnx...
- -- 
Aycan İrican
Systems Engineer
Prosoft Communication Systems Ltd.
Resit Galip Cad. 85/2 Gaziosmanpaşa 06700 Ankara
Tel:+90-312-446-6616 Fax:+90-312-446-2423
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE70VxaJZJwgy0AK78RAktSAJ40IxAOnqVC2e5iFGe0RCb6ehV00QCfSHbY
IxPObVUkyYzbYgeJecU+thU=
=mdXj
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: