A frightening bug

by Alex Handy 10/20/2010 02:56 PM EST

Just a quick note to let everyone know that Glibc is dangerous. This bug can be exploited to gain root privileges. This means that, basically, everything in the GNU tool chain is potentially a vector for entry. Hopefully a patch will be forthcoming, after which you can expect a million recompiles the world over. Also, as this exploit was only just released, you can expect a possible army of 0-day users to have used it already. Long story short: an attacker can change the $ORIGIN in an application in-line, so they could start an app that accesses something harmless, like a txt file, then change the $ORIGIN that remains in memory so that it points to a trojan. Be careful!

From the write up by discoverer, Tavis Ormandy:

"For security, the dynamic linker does not allow use of $ORIGIN substitution sequences for set-user and set-group ID programs. For such sequences that appear within strings specified by DT_RUNPATH dynamic array entries, the specific search path containing the $ORIGIN sequence is ignored (though other search paths in the same string are processed). $ORIGIN sequences within a DT_NEEDED entry or path passed as a parameter to dlopen() are treated as errors. The same restrictions may be applied to processes that have more than minimal privileges on systems with installed extended security mechanisms."

However, glibc ignores this recommendation. The attack the ELF designers were likely concerned about is users creating hardlinks to suid executables in directories they control and then executing them, thus controlling the expansion of $ORIGIN.

It is tough to form a thorough complaint about this glibc behaviour however, as any developer who believes they're smart enough to safely create suid programs should be smart enough to understand the implications of $ORIGIN and hard links on load behaviour. The glibc maintainers are some of the smartest guys in free software, and well known for having a "no hand-holding" stance on various issues, so I suspect they wanted a better argument than this for modifying the behaviour (I pointed it out a few years ago, but there was little interest).

However, I have now discovered a way to exploit this. The origin expansion mechanism is recycled for use in LD_AUDIT support, although an attempt is made to prevent it from working, it is insufficient.

LD_AUDIT is intended for use with the linker auditing api (see the rtld-audit manual), and has the usual restrictions for setuid programs as LD_PRELOAD does. However, $ORIGIN expansion is only prevented if it is not used in isolation.

Currently rated 5.0 by 1 people

Currently 5/5 Stars.
1
2
3
4
5

Share this link: http://www.sdtimes.com/blog/1701

Tags:

security

Why we leave
Ten reasons good workers leave their jobs, plus a few suggestions for retaining them.
05/22/2012 06:14 PM EST

Creation
To write better software, cultivate your ability to be creative.
05/19/2012 07:40 PM EST

Slick...but who needs it?
compilr.com is a well-designed site and the folks behind it seem to have their heart in the right place. But...who needs it?
05/16/2012 12:45 PM EST

How to be a better software developer
Want to be a better developer? You won't get there by mastering an interesting language or learning a new set of APIs.
05/14/2012 12:18 PM EST

Wooing Galatea
Do yourself a favor and check out Galatea 2.2, a wonderful book by novelist Richard Powers.
05/12/2012 07:05 PM EST

The world as story
An artificial-intelligence system at Carnegie Mellon seeks to understand the world by making statements about it.
05/10/2012 06:39 AM EST